Message ID | 20180330221400.20484-2-rosenp@gmail.com |
---|---|
State | Superseded |
Headers | show
Return-Path: <lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=<UNKNOWN>) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="WI4E+V2l"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="J8pub7I0"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 40CbX43kgQz9s2R for <incoming@patchwork.ozlabs.org>; Sat, 31 Mar 2018 09:15:00 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Subject:References: In-Reply-To:Message-Id:Date:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=RKX+1t9hew/HWrZd9lOPisT791a+e+zsoW+kdU9V18U=; b=WI4E+V2lCr+SQV RGZ4fvm7JJr+2B4g8CX9UfHU/TxOCygrCp4fCmHtJZ70cmcaEAheQ3+SWKsxcPHEkbgHRPDkZk0hr PaoHmvjsnXwJJEEvwtO8Z/E0PBOCxGhKv5/6G8dBZ0q2ku1ull9Gq/EByB4lDnquiNz2Gq/xKRiF0 CLkidcA8cswSLZj2Il0WKkjgxEyFp0RYLi3XHpaP5440qACYshmutyGu5bkQ0LcEIMn6x0g4F+KV6 8IYo5Vi6E5EqQYdQRCjfSh+ppU+QZRf1p8agUWr1qlemmQJ2yuJVn/qGEcVJ//vghKSslXEcPB1jN mC1NyaNS0TLPJfYxEUOg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1f22IJ-0008M0-Uv; Fri, 30 Mar 2018 22:14:47 +0000 Received: from mail-pg0-x241.google.com ([2607:f8b0:400e:c05::241]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1f22Hu-0006kU-VN for lede-dev@lists.infradead.org; Fri, 30 Mar 2018 22:14:24 +0000 Received: by mail-pg0-x241.google.com with SMTP id 201so5770747pgg.3 for <lede-dev@lists.infradead.org>; Fri, 30 Mar 2018 15:14:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=yrtKRHajlUQ02fcg8AToPAfOtZfP63ebX4yM6FsL72E=; b=J8pub7I0T03ZWvp+60HXALvq8RoY1YtXZD0z+24S9Z9g6B0tZ3Ub/+nqTEsG4fADuh z8MlpgqB3vGcu6ja2xFpguBuj9fmfMCPzjvE22D8P2vGYHde+gcq7wKaoG67sn1UhEun kdpkxIw0Bjp31iOzcc9eBw1tCjN9hB9QQmG98Zgjc9gYYvLYa5idO7GzsSbWDXenYCdO ecXCuG4Rn+E99krFqoNM1YlZPJCsmEwYWSdHyrozexvXt11qzHxukritGOqW7iIMI3pf znpDTuS4QGVpsp1jBpSnDBT06b+nKxMALSCWpV107fwOpztP6QL3z27mH3NeeQs1TZRD LcIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=yrtKRHajlUQ02fcg8AToPAfOtZfP63ebX4yM6FsL72E=; b=BCb7taJWMmnyB93+00TphNr8cmKQ30FESh3nOhHCDfC10V1WNskR3qg8/E25e3DBUD 4Adb8YL+IFXjrZd1y7KR/glxlbrywqCmJLbZ4OYoRXfcDCaZOQnYNbcEyRZBX5mwZxb0 MyyyHrWBsxYeqoUn8IAnItVcF4Po+f2AKjmCeKAa9pfI+pbybw2F2pK0BTDJJJO4saVR fyeLyNrxC0ImjRCCr/XuD7Oivv/fMo1J0rkmYnaDyR3no3AHi0eojrjNaZ000Ux+seYa zNETNsR7MUAtr8PwIqQjcI88dZ/oODUk01DlElTaaM1BN9PYrJvbKO1mgKWumIA3Y8OM IfpA== X-Gm-Message-State: AElRT7HwVQobJyyPw5HNUGc+GE1gH/ZqwSLQuyAyhXkxq1VDY/MMHUMO ZZ6AUXZExbY9quNYFY6SPyy/UDMI X-Google-Smtp-Source: AIpwx4+uP8+D+mCoTdfDB6vNet39yX7KH8C8dDmp+t6sD9tYUQt/dGXKa8WeTS1cfjdVY2JVs0AmHw== X-Received: by 10.101.101.66 with SMTP id a2mr442223pgw.223.1522448051929; Fri, 30 Mar 2018 15:14:11 -0700 (PDT) Received: from desktop.lan (astound-69-42-5-101.ca.astound.net. [69.42.5.101]) by smtp.gmail.com with ESMTPSA id y19sm4913689pfm.65.2018.03.30.15.14.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 30 Mar 2018 15:14:11 -0700 (PDT) From: Rosen Penev <rosenp@gmail.com> To: lede-dev@lists.infradead.org Date: Fri, 30 Mar 2018 15:14:00 -0700 Message-Id: <20180330221400.20484-2-rosenp@gmail.com> X-Mailer: git-send-email 2.16.3 In-Reply-To: <20180330221400.20484-1-rosenp@gmail.com> References: <20180330221400.20484-1-rosenp@gmail.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180330_151423_015528_5014272C X-CRM114-Status: UNSURE ( 9.85 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.1 (/) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-0.1 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2607:f8b0:400e:c05:0:0:0:241 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (rosenp[at]gmail.com) -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid Subject: [LEDE-DEV] [PATCH 2/2] ustream-ssl: Disable RC4 for TLS connections. X-BeenThere: lede-dev@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: <lede-dev.lists.infradead.org> List-Unsubscribe: <http://lists.infradead.org/mailman/options/lede-dev>, <mailto:lede-dev-request@lists.infradead.org?subject=unsubscribe> List-Archive: <http://lists.infradead.org/pipermail/lede-dev/> List-Post: <mailto:lede-dev@lists.infradead.org> List-Help: <mailto:lede-dev-request@lists.infradead.org?subject=help> List-Subscribe: <http://lists.infradead.org/mailman/listinfo/lede-dev>, <mailto:lede-dev-request@lists.infradead.org?subject=subscribe> Cc: Rosen Penev <rosenp@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Lede-dev" <lede-dev-bounces@lists.infradead.org> Errors-To: lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org |
Series |
[LEDE-DEV,1/2] ustream-ssl: Enable ECDHE with OpenSSL and prefer it to the other suites.
|
expand
|
diff --git a/ustream-openssl.c b/ustream-openssl.c index 0f51b9d..ae5517b 100644 --- a/ustream-openssl.c +++ b/ustream-openssl.c @@ -52,7 +52,7 @@ __ustream_ssl_context_new(bool server) #ifndef OPENSSL_NO_ECDH SSL_CTX_set_ecdh_auto(c, 1); #endif - SSL_CTX_set_cipher_list(c, "ECDHE:ALL"); + SSL_CTX_set_cipher_list(c, "ECDHE:!RC4:ALL"); SSL_CTX_set_quiet_shutdown(c, 1); return (void *) c;
When used with LuCI, SSLlabs complains that RC4 is insecure and thus caps the score to a B. I believe RC4 is compile-time enabled for non-TLS related reasons. Signed-off-by: Rosen Penev <rosenp@gmail.com> --- ustream-openssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)