From 351a23c3d644849e9cc6eb33b67fbaa7c118419b Mon Sep 17 00:00:00 2001 From: =?utf8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Thu, 18 Jan 2018 14:12:45 +0100 Subject: [PATCH] TLS server: enforce minimal TLS version and no compression Server side now enforces security requirements from draft-ietf-dprive-dtls-and-tls-profiles-11 section 9 --- daemon/tls.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/daemon/tls.c b/daemon/tls.c index 8e077955d..3031542c9 100644 --- a/daemon/tls.c +++ b/daemon/tls.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2016 American Civil Liberties Union (ACLU) - * 2016 CZ.NIC, z.s.p.o + * 2016-2018 CZ.NIC, z.s.p.o * * Initial Author: Daniel Kahn Gillmor * Ondřej Surý @@ -37,7 +37,13 @@ #define EPHEMERAL_CERT_EXPIRATION_SECONDS_RENEW_BEFORE 60*60*24*7 -static const char *priorities = "NORMAL"; +/* Mandatory security settings from + * https://tools.ietf.org/html/draft-ietf-dprive-dtls-and-tls-profiles-11#section-9 + * Performance optimizations are not implemented at the moment. */ +static const char *priorities = "@SYSTEM:" /* GnuTLS system-wide settings*/ + "-VERS-DTLS-ALL:" /* we do not support DTLS yet */ + "-VERS-TLS1.0:-VERS-TLS1.1:" /* TLS 1.2 and higher */ + "-COMP-ALL:+COMP-NULL"; /* no compression*/ /* gnutls_record_recv and gnutls_record_send */ struct tls_ctx_t { -- 2.47.3