diff options
author | Sadie Powell <sadie@witchery.services> | 2021-05-25 17:10:20 +0100 |
---|---|---|
committer | Sadie Powell <sadie@witchery.services> | 2021-05-25 17:10:20 +0100 |
commit | 772f7ceb94242a8ebfadd0d4e31209c0b51c2923 (patch) | |
tree | b92fe9e82cb99c7859f5647c2691274cb1d17078 /src/modules | |
parent | 182cdec31090a4664e6532f1555f1dd70748a2bd (diff) |
Implement support for setting TLSv1.3 ciphersuites in ssl_openssl.
Diffstat (limited to 'src/modules')
-rw-r--r-- | src/modules/extra/m_ssl_openssl.cpp | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index 0f4e2d713..f84468da8 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -217,10 +217,20 @@ namespace OpenSSL bool SetCiphers(const std::string& ciphers) { + // TLSv1 to TLSv1.2 ciphers. ERR_clear_error(); return SSL_CTX_set_cipher_list(ctx, ciphers.c_str()); } +#if OPENSSL_VERSION_NUMBER >= 0x10101000L + bool SetCiphersuites(const std::string& ciphers) + { + // TLSv1.3+ ciphers. + ERR_clear_error(); + return SSL_CTX_set_ciphersuites(ctx, ciphers.c_str()); + } +#endif + bool SetCerts(const std::string& filename) { ERR_clear_error(); @@ -408,7 +418,7 @@ namespace OpenSSL if (digest == NULL) throw Exception("Unknown hash type " + hash); - std::string ciphers = tag->getString("ciphers"); + const std::string ciphers = tag->getString("ciphers"); if (!ciphers.empty()) { if ((!ctx.SetCiphers(ciphers)) || (!clictx.SetCiphers(ciphers))) @@ -418,6 +428,20 @@ namespace OpenSSL } } + const std::string ciphersuites = tag->getString("ciphersuites"); + if (!ciphers.empty()) + { +#if OPENSSL_VERSION_NUMBER >= 0x10101000L + if ((!ctx.SetCiphersuites(ciphersuites)) || (!clictx.SetCiphersuites(ciphersuites))) + { + ERR_print_errors_cb(error_callback, this); + throw Exception("Can't set ciphersuite list to \"" + ciphersuites + "\" " + lasterr); + } +#else + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "You have configured <sslprofile:ciphersuites> but your version of OpenSSL does not support TLSv1.3+"); +#endif + } + #ifndef OPENSSL_NO_ECDH const std::string curvename = tag->getString("ecdhcurve", "prime256v1", 1); if (!curvename.empty()) |