diff mbox series

[OpenWrt-Devel,v3,3/3] ustream-ssl: Revised security on mbedtls

Message ID mailman.4709.1529121856.25356.openwrt-devel@lists.openwrt.org
State Accepted
Delegated to: John Crispin
Headers show
Series [OpenWrt-Devel,v3,1/3] ustream-ssl: add openssl-1.1.0 compatibility | expand

Commit Message

Thomas Richard via openwrt-devel June 16, 2018, 4:04 a.m. UTC 
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
I've revised the security options, and made them more uniform across the
ssl libraries.

- use only TLS 1.2 in server mode
- changed the ciphersuite ordering

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
---
 ustream-mbedtls.c | 49 +++++++++++++++++++++++--------------------------
 1 file changed, 23 insertions(+), 26 deletions(-)
diff mbox series

Patch

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index 9b22ad2..347c600 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -86,33 +86,28 @@  static int _urandom(void *ctx, unsigned char *out, size_t len)
 	return 0;
 }
 
-#define TLS_DEFAULT_CIPHERS			\
-    TLS_CIPHER(AES_128_GCM_SHA256)		\
-    TLS_CIPHER(AES_256_GCM_SHA384)		\
-    TLS_CIPHER(AES_128_CBC_SHA)			\
-    TLS_CIPHER(AES_256_CBC_SHA)			\
-    TLS_CIPHER(3DES_EDE_CBC_SHA)
-
-static const int default_ciphersuites_nodhe[] =
+#define AES_CIPHERS(v)					\
+	MBEDTLS_TLS_##v##_WITH_AES_128_GCM_SHA256,	\
+	MBEDTLS_TLS_##v##_WITH_AES_256_GCM_SHA384,	\
+	MBEDTLS_TLS_##v##_WITH_AES_128_CBC_SHA,		\
+	MBEDTLS_TLS_##v##_WITH_AES_256_CBC_SHA
+
+static const int default_ciphersuites_server[] =
 {
-#define TLS_CIPHER(v)				\
-	MBEDTLS_TLS_ECDHE_ECDSA_WITH_##v,	\
-	MBEDTLS_TLS_ECDHE_RSA_WITH_##v,		\
-	MBEDTLS_TLS_RSA_WITH_##v,
-	TLS_DEFAULT_CIPHERS
-#undef TLS_CIPHER
+	AES_CIPHERS(ECDHE_ECDSA),
+	AES_CIPHERS(ECDHE_RSA),
+	AES_CIPHERS(RSA),
 	0
 };
 
-static const int default_ciphersuites[] =
+static const int default_ciphersuites_client[] =
 {
-#define TLS_CIPHER(v)				\
-	MBEDTLS_TLS_ECDHE_ECDSA_WITH_##v,	\
-	MBEDTLS_TLS_ECDHE_RSA_WITH_##v,		\
-	MBEDTLS_TLS_DHE_RSA_WITH_##v,		\
-	MBEDTLS_TLS_RSA_WITH_##v,
-	TLS_DEFAULT_CIPHERS
-#undef TLS_CIPHER
+	AES_CIPHERS(ECDHE_ECDSA),
+	AES_CIPHERS(ECDHE_RSA),
+	AES_CIPHERS(DHE_RSA),
+	MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	AES_CIPHERS(RSA),
+	MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
 	0
 };
 
@@ -152,10 +147,12 @@  __ustream_ssl_context_new(bool server)
 	mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
 	mbedtls_ssl_conf_rng(conf, _urandom, NULL);
 
-	if (server)
-		mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_nodhe);
-	else
-		mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites);
+	if (server) {
+		mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_server);
+		mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3,
+					     MBEDTLS_SSL_MINOR_VERSION_3);
+	} else
+		mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_client);
 
 #if defined(MBEDTLS_SSL_CACHE_C)
 	mbedtls_ssl_conf_session_cache(conf, &ctx->cache,