Update OpenSSL version and change sig algs
While the PSK cipher suites do not use any ECDHE/RSA signatures, in the future someone may change the code. In that case, as a robustness measure, already set the acceptable signature algorithms now. Additionally upgrade to OpenSSL v1.1.0e and include the comment to include X448 once it becomes available for TLS ECDHE (it's not yet, unfortunately).
This commit is contained in:
parent
8f2dabc053
commit
8b892e3347
2
Makefile
2
Makefile
@ -2,7 +2,7 @@
|
||||
all: luksrku luksrku-config
|
||||
|
||||
INSTALL_PREFIX := /usr/local/
|
||||
OPENSSL_DIR := `pwd`/openssl-1.1.0b/
|
||||
OPENSSL_DIR := `pwd`/openssl-1.1.0e/
|
||||
#OPENSSL_DIR := /home/joe/openssl/
|
||||
#LIBDIR := /usr/lib/x86_64-linux-gnu/
|
||||
LIBDIR := $(OPENSSL_DIR)
|
||||
|
@ -2,7 +2,7 @@
|
||||
#
|
||||
#
|
||||
|
||||
VERSION="1.1.0b"
|
||||
VERSION="1.1.0e"
|
||||
URL="https://www.openssl.org/source/openssl-${VERSION}.tar.gz"
|
||||
LOCAL_TARGZ="openssl-${VERSION}.tar.gz"
|
||||
LOCAL_DIR="openssl-${VERSION}"
|
||||
|
14
openssl.c
14
openssl.c
@ -79,16 +79,20 @@ bool create_generic_ssl_context(struct generic_ssl_ctx_t *gctx, bool server) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!SSL_CTX_set_max_proto_version(gctx->ctx, TLS1_2_VERSION)) {
|
||||
log_openssl(LLVL_FATAL, "Cannot set SSL generic context maximal version.");
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!SSL_CTX_set_cipher_list(gctx->ctx, "ECDHE-PSK-CHACHA20-POLY1305")) {
|
||||
log_openssl(LLVL_FATAL, "Cannot set SSL generic context cipher suites.");
|
||||
return false;
|
||||
}
|
||||
|
||||
/* In the cipher suite we're using, none of these should be used anyways
|
||||
* (PSK); however for the future we want to have proper crypto here as
|
||||
* well. */
|
||||
if (!SSL_CTX_set1_sigalgs_list(gctx->ctx, "ECDSA+SHA256:RSA+SHA256:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA512:RSA+SHA512")) {
|
||||
log_openssl(LLVL_FATAL, "Cannot set SSL signature algorithms.");
|
||||
return false;
|
||||
}
|
||||
|
||||
/* TODO: When X448 becomes available, include it here. */
|
||||
if (!SSL_CTX_set1_curves_list(gctx->ctx, "X25519")) {
|
||||
log_openssl(LLVL_FATAL, "Cannot set SSL generic context ECDHE curves.");
|
||||
return false;
|
||||
|
Loading…
Reference in New Issue
Block a user