Cipher list selection for OpenSSL

This patch introduces the possibility to arbitrarily select ciphers which should be promoted resp. declined when establishing a SSL connection with a client by implementing the new configuration option "CipherList". By default, OpenSSL would accept low and medium strength and RC-4 ciphers, which nowadays are known to be broken. This patch only implements the feature for OpenSSL. A GnuTLS counterpart has to be implemented in another patch ... Original patch by Bastian <bastian-ngircd@t6l.de>. Closes bug #162.
2025-09-10 22:36:03 +00:00 · 2013-09-15 15:09:36 +02:00
parent 849f85a05c
commit 84ed46d4c1
5 changed files with 48 additions and 1 deletions
--- a/man/ngircd.conf.5.tmpl
+++ b/man/ngircd.conf.5.tmpl
@@ -366,6 +366,13 @@ when it is compiled with support for SSL using OpenSSL or GnuTLS!
 \fBCertFile\fR (string)
 SSL Certificate file of the private server key.
 .TP
+\fBCipherList\fR (string)
+OpenSSL only: Select cipher suites allowed for SSL/TLS connections. This
+defaults to the empty string, so all supported ciphers are allowed. Please see
+'man 1ssl ciphers' for details. This setting allows only "high strength" cipher
+suites, disables the ones without authentication, and sorts by strength, for
+example: "HIGH:!aNULL:@STRENGTH".
+.TP
 \fBDHFile\fR (string)
 Name of the Diffie-Hellman Parameter file. Can be created with GnuTLS
 "certtool \-\-generate-dh-params" or "openssl dhparam". If this file is not