case secure_protocol_sslv3:
meth = SSLv3_client_method ();
break;
+ case secure_protocol_pfs:
case secure_protocol_tlsv1:
meth = TLSv1_client_method ();
break;
if (!ssl_ctx)
goto error;
+ /* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html
+ * Since we want a good protection, we also use HIGH (that excludes MD4 ciphers and some more)
+ */
+ if (opt.secure_protocol == secure_protocol_pfs)
+ SSL_CTX_set_cipher_list (ssl_ctx, "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:!aNULL@STRENGTH");
+
SSL_CTX_set_default_verify_paths (ssl_ctx);
SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
}
static int
-openssl_write (int fd, char *buf, int bufsize, void *arg)
+openssl_write (int fd _GL_UNUSED, char *buf, int bufsize, void *arg)
{
int ret = 0;
struct openssl_transport_context *ctx = arg;
}
static const char *
-openssl_errstr (int fd, void *arg)
+openssl_errstr (int fd _GL_UNUSED, void *arg)
{
struct openssl_transport_context *ctx = arg;
unsigned long errcode;
if (! is_valid_ip_address (hostname))
{
if (! SSL_set_tlsext_host_name (conn, hostname))
- {
- DEBUGP (("Failed to set TLS server-name indication."));
- goto error;
- }
+ {
+ DEBUGP (("Failed to set TLS server-name indication."));
+ goto error;
+ }
}
#endif
/* Compare and check for NULL attack in ASN1_STRING */
if (pattern_match ((char *)name_in_utf8, host) &&
(strlen ((char *)name_in_utf8) ==
- ASN1_STRING_length (name->d.dNSName)))
+ (size_t) ASN1_STRING_length (name->d.dNSName)))
{
OPENSSL_free (name_in_utf8);
break;
success = false;
}
}
-
+
if (alt_name_checked == false)
{
/* Test commomName */
xentry = X509_NAME_get_entry(xname,i);
sdata = X509_NAME_ENTRY_get_data(xentry);
- if (strlen (common_name) != ASN1_STRING_length (sdata))
+ if (strlen (common_name) != (size_t) ASN1_STRING_length (sdata))
{
logprintf (LOG_NOTQUIET, _("\
%s: certificate common name is invalid (contains a NUL character).\n\