X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ustream-mbedtls.c;h=85bbb1c7c9ea18c04ba9bfcbba1e919a72e13c68;hb=3b06c65965a20c1893392e95c163a83e7ffa407a;hp=9b22ad281174666f498045c187aa57f07e2dd3a7;hpb=5322f9db23b69fdc2b4760a6cfd67848a11818a4;p=oweals%2Fustream-ssl.git

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index 9b22ad2..85bbb1c 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -86,33 +86,43 @@ static int _urandom(void *ctx, unsigned char *out, size_t len)
 	return 0;
 }
 
-#define TLS_DEFAULT_CIPHERS			\
-    TLS_CIPHER(AES_128_GCM_SHA256)		\
-    TLS_CIPHER(AES_256_GCM_SHA384)		\
-    TLS_CIPHER(AES_128_CBC_SHA)			\
-    TLS_CIPHER(AES_256_CBC_SHA)			\
-    TLS_CIPHER(3DES_EDE_CBC_SHA)
-
-static const int default_ciphersuites_nodhe[] =
+#define AES_GCM_CIPHERS(v)				\
+	MBEDTLS_TLS_##v##_WITH_AES_128_GCM_SHA256,	\
+	MBEDTLS_TLS_##v##_WITH_AES_256_GCM_SHA384
+
+#define AES_CBC_CIPHERS(v)				\
+	MBEDTLS_TLS_##v##_WITH_AES_128_CBC_SHA,		\
+	MBEDTLS_TLS_##v##_WITH_AES_256_CBC_SHA
+
+#define AES_CIPHERS(v)					\
+	AES_GCM_CIPHERS(v),				\
+	AES_CBC_CIPHERS(v)
+
+static const int default_ciphersuites_server[] =
 {
-#define TLS_CIPHER(v)				\
-	MBEDTLS_TLS_ECDHE_ECDSA_WITH_##v,	\
-	MBEDTLS_TLS_ECDHE_RSA_WITH_##v,		\
-	MBEDTLS_TLS_RSA_WITH_##v,
-	TLS_DEFAULT_CIPHERS
-#undef TLS_CIPHER
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+	AES_GCM_CIPHERS(ECDHE_ECDSA),
+	MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+	AES_GCM_CIPHERS(ECDHE_RSA),
+	AES_CBC_CIPHERS(ECDHE_RSA),
+	AES_CIPHERS(RSA),
 	0
 };
 
-static const int default_ciphersuites[] =
+static const int default_ciphersuites_client[] =
 {
-#define TLS_CIPHER(v)				\
-	MBEDTLS_TLS_ECDHE_ECDSA_WITH_##v,	\
-	MBEDTLS_TLS_ECDHE_RSA_WITH_##v,		\
-	MBEDTLS_TLS_DHE_RSA_WITH_##v,		\
-	MBEDTLS_TLS_RSA_WITH_##v,
-	TLS_DEFAULT_CIPHERS
-#undef TLS_CIPHER
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+	AES_GCM_CIPHERS(ECDHE_ECDSA),
+	MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+	AES_GCM_CIPHERS(ECDHE_RSA),
+	MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+	AES_GCM_CIPHERS(DHE_RSA),
+	AES_CBC_CIPHERS(ECDHE_ECDSA),
+	AES_CBC_CIPHERS(ECDHE_RSA),
+	AES_CBC_CIPHERS(DHE_RSA),
+	MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	AES_CIPHERS(RSA),
+	MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
 	0
 };
 
@@ -152,10 +162,12 @@ __ustream_ssl_context_new(bool server)
 	mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
 	mbedtls_ssl_conf_rng(conf, _urandom, NULL);
 
-	if (server)
-		mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_nodhe);
-	else
-		mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites);
+	if (server) {
+		mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_server);
+		mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3,
+					     MBEDTLS_SSL_MINOR_VERSION_3);
+	} else
+		mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_client);
 
 #if defined(MBEDTLS_SSL_CACHE_C)
 	mbedtls_ssl_conf_session_cache(conf, &ctx->cache,