Cipher list selection for OpenSSL

This patch introduces the possibility to arbitrarily select ciphers which should be promoted resp. declined when establishing a SSL connection with a client by implementing the new configuration option "CipherList". By default, OpenSSL would accept low and medium strength and RC-4 ciphers, which nowadays are known to be broken. This patch only implements the feature for OpenSSL. A GnuTLS counterpart has to be implemented in another patch ... Original patch by Bastian <bastian-ngircd@t6l.de>. Closes bug #162.
2025-11-01 06:23:00 +00:00 · 2013-09-15 15:09:36 +02:00
parent 849f85a05c
commit 84ed46d4c1
5 changed files with 48 additions and 1 deletions
--- a/doc/sample-ngircd.conf.tmpl
+++ b/doc/sample-ngircd.conf.tmpl
@@ -248,6 +248,13 @@
 	# SSL Server Key Certificate
 	;CertFile = :ETCDIR:/ssl/server-cert.pem

+	# Select cipher suites allowed for SSL/TLS connections (OpenSSL only).
+	# This defaults to the empty string, so all supported ciphers are
+	# allowed. Please see 'man 1ssl ciphers' for details.
+	# The example below only allows "high strength" cipher suites, disables
+	# the ones without authentication, and sorts by strength:
+	;CipherList = HIGH:!aNULL:@STRENGTH
+
 	# Diffie-Hellman parameters
 	;DHFile = :ETCDIR:/ssl/dhparams.pem