diff options
| author | Joshua Judson Rosen | 2014-10-20 00:31:09 -0400 |
|---|---|---|
| committer | Joshua Judson Rosen | 2014-10-20 00:31:09 -0400 |
| commit | fc04c7ac1f50aa5c147af5c0f8cd4a68b9e37990 (patch) | |
| tree | 231908e613dd600cc86fa88b5ba78b86b7af0f80 | |
| parent | afclient: support loading complete cert-chains from cerfile. (diff) | |
| download | apf-fc04c7ac1f50aa5c147af5c0f8cd4a68b9e37990.tar.gz | |
afserver: avoid requiring a specific SSL protocol version
Trust the clients to negotiate the latest/best protocol version they can.
This should generally improve security over time (as OpenSSL improves
and implements improved protocols) without having the APF codebase
or server/client deployments need to chase latest OpenSSL API additions,
causing portability problems, or breaking client deployments that
are hard to upgrade.
| -rw-r--r-- | src/afserver.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/src/afserver.c b/src/afserver.c index f509404..4c00d26 100644 --- a/src/afserver.c +++ b/src/afserver.c @@ -515,8 +515,17 @@ main(int argc, char **argv) maxfdp1 = 0; SSL_library_init(); - method = SSLv3_server_method(); + + /* Trust the clients to use whatever the latest/best SSL/TLS protocol + they can. This should generally mean that security automatically + improves as the server and client deployments upgrade to later + OpenSSL releases--without breaking older client deployments + that, for whatever reason, can't be immediately upgraded to + the latest APF/OpenSSL versions used on the server. + */ + method = SSLv23_server_method(); ctx = SSL_CTX_new(method); + if (SSL_CTX_set_cipher_list(ctx, "ALL:@STRENGTH") == 0) { aflog(LOG_T_INIT, LOG_I_CRIT, "Setting ciphers list failed... exiting"); |