- Support using system-wide crypto policies.

diff --git a/doc/Changelog b/doc/Changelog
index f518a972f0a494de98808291a27819731a114c77..62c747c851e0d51b2e43d7796656fb52aceeda18 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+13 August 2021: Wouter
+       - Support using system-wide crypto policies.
+
 12 August 2021: George
        - Merge PR #514, from ziollek: Docker environment for run tests.
        - For #514: generate configure.

diff --git a/util/net_help.c b/util/net_help.c
index 06bc1f5dd7e68686a1130caf9440e86bca97e04f..b2d2061c92c5213c2ecdee382247abf943e729f0 100644 (file)
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -945,9 +945,12 @@ listen_sslctx_setup(void* ctxt)
        }
 #endif
 #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
+       /* if we detect system-wide crypto policies, use those */
+       if (access( "/etc/crypto-policies/config", F_OK ) != 0 ) {
        /* if we have sha256, set the cipher list to have no known vulns */
-       if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
-               log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
+               if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
+                       log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
+       }
 #endif
 
        if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) &