Gitweb links: ...log http://git.netsurf-browser.org/netsurf.git/shortlog/a8bf9b05aa94392b391d6... ...commit http://git.netsurf-browser.org/netsurf.git/commit/a8bf9b05aa94392b391d601... ...tree http://git.netsurf-browser.org/netsurf.git/tree/a8bf9b05aa94392b391d6015e... The branch, master has been updated via a8bf9b05aa94392b391d6015ed037e5c241ab172 (commit) from 7d4349035d7981067d26dc02f750a36a9adc52cd (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commitdiff http://git.netsurf-browser.org/netsurf.git/commit/?id=a8bf9b05aa94392b391... commit a8bf9b05aa94392b391d6015ed037e5c241ab172 Author: John-Mark Bell <jmb(a)netsurf-browser.org&gt; Commit: John-Mark Bell <jmb(a)netsurf-browser.org&gt; HTTPS: restrict ciphersuites diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c index d37ce11..bf9d88b 100644 --- a/content/fetchers/curl.c +++ b/content/fetchers/curl.c @@ -67,6 +67,21 @@ /** maximum number of X509 certificates in chain for TLS connection */ #define MAX_CERTS 10 +/* the ciphersuites we are willing to use */ +#define CIPHER_LIST \ + /* disable everything */ \ + "-ALL:" \ + /* enable TLSv1.2 PFS suites */ \ + "EECDH+AES+TLSv1.2:EDH+AES+TLSv1.2:" \ + /* enable PFS AES GCM suites */ \ + "EECDH+AESGCM:EDH+AESGCM:" \ + /* Enable PFS AES CBC suites */ \ + "EECDH+AES:EDH+AES:" \ + /* Enable non-PFS fallback suite */ \ + "AES128-SHA:" \ + /* Remove any PFS suites using weak DSA key exchange */ \ + "-DSS" + /** SSL certificate info */ struct cert_info { X509 *cert; /**< Pointer to certificate */ @@ -555,6 +570,8 @@ fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void *parm) /* Ensure server rejects the connection if downgraded too far */ SSL_CTX_set_mode(sslctx, SSL_MODE_SEND_FALLBACK_SCSV); #endif + /* Disable TLS1.2 ciphersuites */ + SSL_CTX_set_cipher_list(sslctx, CIPHER_LIST ":-TLSv1.2"); } SSL_CTX_set_options(sslctx, options); @@ -1512,6 +1529,7 @@ nserror fetch_curl_register(void) SETOPT(CURLOPT_LOW_SPEED_TIME, 180L); SETOPT(CURLOPT_NOSIGNAL, 1L); SETOPT(CURLOPT_CONNECTTIMEOUT, nsoption_uint(curl_fetch_timeout)); + SETOPT(CURLOPT_SSL_CIPHER_LIST, CIPHER_LIST); if (nsoption_charp(ca_bundle) && strcmp(nsoption_charp(ca_bundle), "")) { ----------------------------------------------------------------------- Summary of changes: content/fetchers/curl.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c index d37ce11..bf9d88b 100644 --- a/content/fetchers/curl.c +++ b/content/fetchers/curl.c @@ -67,6 +67,21 @@ /** maximum number of X509 certificates in chain for TLS connection */ #define MAX_CERTS 10 +/* the ciphersuites we are willing to use */ +#define CIPHER_LIST \ + /* disable everything */ \ + "-ALL:" \ + /* enable TLSv1.2 PFS suites */ \ + "EECDH+AES+TLSv1.2:EDH+AES+TLSv1.2:" \ + /* enable PFS AES GCM suites */ \ + "EECDH+AESGCM:EDH+AESGCM:" \ + /* Enable PFS AES CBC suites */ \ + "EECDH+AES:EDH+AES:" \ + /* Enable non-PFS fallback suite */ \ + "AES128-SHA:" \ + /* Remove any PFS suites using weak DSA key exchange */ \ + "-DSS" + /** SSL certificate info */ struct cert_info { X509 *cert; /**< Pointer to certificate */ @@ -555,6 +570,8 @@ fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void *parm) /* Ensure server rejects the connection if downgraded too far */ SSL_CTX_set_mode(sslctx, SSL_MODE_SEND_FALLBACK_SCSV); #endif + /* Disable TLS1.2 ciphersuites */ + SSL_CTX_set_cipher_list(sslctx, CIPHER_LIST ":-TLSv1.2"); } SSL_CTX_set_options(sslctx, options); @@ -1512,6 +1529,7 @@ nserror fetch_curl_register(void) SETOPT(CURLOPT_LOW_SPEED_TIME, 180L); SETOPT(CURLOPT_NOSIGNAL, 1L); SETOPT(CURLOPT_CONNECTTIMEOUT, nsoption_uint(curl_fetch_timeout)); + SETOPT(CURLOPT_SSL_CIPHER_LIST, CIPHER_LIST); if (nsoption_charp(ca_bundle) && strcmp(nsoption_charp(ca_bundle), "")) { -- NetSurf Browser