blackbeard420/kore
1
0
Fork 0
mirror of https://github.com/jorisvink/kore synced 2025-03-09 04:29:02 -04:00
Code Issues Projects Releases Wiki Activity

By default Kore now uses ECDH/DHE for TLS key exchanges.

Browse Source 
This commit disables RSA key exchanges for TLS completely, while
introducing the requirement for always having DH parameters (ssl_dhparam).

Judging from ciphersuites most modern browsers now prefer this
change should be more than ok.
This commit is contained in:
Joris Vink 2015-02-03 13:17:59 +01:00
parent b1e5a806a6
commit 2049bc72dc
4 changed files with 28 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
conf/kore.conf.example
View File

@ -61,7 +61,7 @@ validator v_number regex ^[0-9]*$
validator v_session function v_session_validate
# Specify the SSL ciphers that will be used.
#ssl_cipher ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
#ssl_cipher ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!kRSA:!kDSA
# If you wish to use EDH / ECDH specify a file containing
# a generated DH key (See OpenSSL dhparam).

2
includes/kore.h
View File

@ -58,7 +58,7 @@ extern int daemon(int, int);
#define KORE_DOMAINNAME_LEN 254
#define KORE_PIDFILE_DEFAULT "kore.pid"
#define KORE_DEFAULT_CIPHER_LIST "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
#define KORE_DEFAULT_CIPHER_LIST "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!kRSA:!kDSA"
#if defined(KORE_DEBUG)
#define kore_debug(fmt, ...) \

18
src/cli.c
View File

@ -159,6 +159,9 @@ static const char *config_data =
"\n"
"bind\t\t127.0.0.1 8888\n"
"load\t\t./%s.so\n"
#if !defined(KORE_BENCHMARK)
"ssl_dhparam\tdh2048.pem\n"
#endif
"\n"
"domain 127.0.0.1 {\n"
#if !defined(KORE_BENCHMARK)
@ -168,6 +171,16 @@ static const char *config_data =
"\tstatic\t/\tpage\n"
"}\n";
static const char *dh2048_data =
"-----BEGIN DH PARAMETERS-----\n"
"MIIBCAKCAQEAn4f4Qn5SudFjEYPWTbUaOTLUH85YWmmPFW1+b5bRa9ygr+1wfamv\n"
"VKVT7jO8c4msSNikUf6eEfoH0H4VTCaj+Habwu+Sj+I416r3mliMD4SjNsUJrBrY\n"
"Y0QV3ZUgZz4A8ARk/WwQcRl8+ZXJz34IaLwAcpyNhoV46iHVxW0ty8ND0U4DIku/\n"
"PNayKimu4BXWXk4RfwNVP59t8DQKqjshZ4fDnbotskmSZ+e+FHrd+Kvrq/WButvV\n"
"Bzy9fYgnUlJ82g/bziCI83R2xAdtH014fR63MpElkqdNeChb94pPbEdFlNUvYIBN\n"
"xx2vTUQMqRbB4UdG2zuzzr5j98HDdblQ+wIBAg==\n"
"-----END DH PARAMETERS-----";
static const char *gitignore_data = "*.o\n.objs\n%s.so\nassets.h\ncert\n";
static int s_fd = -1;
@ -258,7 +271,7 @@ cli_create(int argc, char **argv)
printf("%s created succesfully!\n", appl);
#if !defined(KORE_BENCHMARK)
printf("note: do not use the generated certificates for production\n");
printf("note: do NOT use the created DH parameters/certificates in production\n");
#endif
}
@ -737,6 +750,9 @@ cli_generate_certs(void)
RSA *kpair;
char *fpath, issuer[64];
/* Write out DH parameters. */
cli_file_create("dh2048.pem", dh2048_data, strlen(dh2048_data));
/* Create new certificate. */
if ((x509 = X509_new()) == NULL)
cli_fatal("X509_new(): %s", ssl_errno_s);

17
src/domain.c
View File

@ -86,17 +86,18 @@ kore_domain_sslstart(struct kore_domain *dom)
if (!SSL_CTX_check_private_key(dom->ssl_ctx))
fatal("Public/Private key for %s do not match", dom->domain);
if (ssl_dhparam != NULL) {
SSL_CTX_set_tmp_dh(dom->ssl_ctx, ssl_dhparam);
SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_SINGLE_DH_USE);
if (ssl_dhparam == NULL)
fatal("No DH parameters given");
SSL_CTX_set_tmp_dh(dom->ssl_ctx, ssl_dhparam);
SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_SINGLE_DH_USE);
#if !defined(OPENSSL_NO_EC)
if ((ecdh = EC_KEY_new_by_curve_name(NID_secp384r1)) != NULL) {
SSL_CTX_set_tmp_ecdh(dom->ssl_ctx, ecdh);
EC_KEY_free(ecdh);
}
#endif
if ((ecdh = EC_KEY_new_by_curve_name(NID_secp384r1)) != NULL) {
SSL_CTX_set_tmp_ecdh(dom->ssl_ctx, ecdh);
EC_KEY_free(ecdh);
}
#endif
SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_COMPRESSION);