From 5322f9db23b69fdc2b4760a6cfd67848a11818a4 Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Mon, 21 May 2018 14:05:50 +0200 Subject: [PATCH] mbedtls: Fix setting allowed cipher suites The cipher suites should be set after the default settings are done, otherwise the settings will be overwritten with the defaults later on again. Also make the list of supported cipher suites match what Chrome tries to use. Signed-off-by: Hauke Mehrtens --- ustream-mbedtls.c | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c index 0b747d2..9b22ad2 100644 --- a/ustream-mbedtls.c +++ b/ustream-mbedtls.c @@ -87,21 +87,17 @@ static int _urandom(void *ctx, unsigned char *out, size_t len) } #define TLS_DEFAULT_CIPHERS \ - TLS_CIPHER(AES_256_CBC_SHA256) \ - TLS_CIPHER(AES_256_GCM_SHA384) \ - TLS_CIPHER(AES_256_CBC_SHA) \ - TLS_CIPHER(CAMELLIA_256_CBC_SHA256) \ - TLS_CIPHER(CAMELLIA_256_CBC_SHA) \ - TLS_CIPHER(AES_128_CBC_SHA256) \ TLS_CIPHER(AES_128_GCM_SHA256) \ + TLS_CIPHER(AES_256_GCM_SHA384) \ TLS_CIPHER(AES_128_CBC_SHA) \ - TLS_CIPHER(CAMELLIA_128_CBC_SHA256) \ - TLS_CIPHER(CAMELLIA_128_CBC_SHA) \ + TLS_CIPHER(AES_256_CBC_SHA) \ TLS_CIPHER(3DES_EDE_CBC_SHA) static const int default_ciphersuites_nodhe[] = { #define TLS_CIPHER(v) \ + MBEDTLS_TLS_ECDHE_ECDSA_WITH_##v, \ + MBEDTLS_TLS_ECDHE_RSA_WITH_##v, \ MBEDTLS_TLS_RSA_WITH_##v, TLS_DEFAULT_CIPHERS #undef TLS_CIPHER @@ -111,6 +107,8 @@ static const int default_ciphersuites_nodhe[] = static const int default_ciphersuites[] = { #define TLS_CIPHER(v) \ + MBEDTLS_TLS_ECDHE_ECDSA_WITH_##v, \ + MBEDTLS_TLS_ECDHE_RSA_WITH_##v, \ MBEDTLS_TLS_DHE_RSA_WITH_##v, \ MBEDTLS_TLS_RSA_WITH_##v, TLS_DEFAULT_CIPHERS @@ -147,19 +145,18 @@ __ustream_ssl_context_new(bool server) conf = &ctx->conf; mbedtls_ssl_config_init(conf); - if (server) { - mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_nodhe); - ep = MBEDTLS_SSL_IS_SERVER; - } else { - mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites); - ep = MBEDTLS_SSL_IS_CLIENT; - } + ep = server ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT; mbedtls_ssl_config_defaults(conf, ep, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT); mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_rng(conf, _urandom, NULL); + if (server) + mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_nodhe); + else + mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites); + #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_conf_session_cache(conf, &ctx->cache, mbedtls_ssl_cache_get, -- 2.25.1