You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by rn...@apache.org on 2015/07/29 17:54:47 UTC
[18/50] mochiweb commit: updated refs/heads/upstream to b66b68d
SSL: remove unsafe ciphers and protocols from the default options.
Project: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/commit/68d21780
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/tree/68d21780
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/diff/68d21780
Branch: refs/heads/upstream
Commit: 68d217805b2b683309169f4fec132ce293997cf1
Parents: 95c0c92
Author: Marc Worrell <ma...@worrell.nl>
Authored: Wed Oct 15 12:18:33 2014 +0200
Committer: Marc Worrell <ma...@worrell.nl>
Committed: Wed Oct 15 12:46:17 2014 +0200
----------------------------------------------------------------------
src/mochiweb_socket.erl | 31 +++++++++++++++++++++++++++++--
1 file changed, 29 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/blob/68d21780/src/mochiweb_socket.erl
----------------------------------------------------------------------
diff --git a/src/mochiweb_socket.erl b/src/mochiweb_socket.erl
index fff0b42..8cd074f 100644
--- a/src/mochiweb_socket.erl
+++ b/src/mochiweb_socket.erl
@@ -16,7 +16,8 @@ listen(Ssl, Port, Opts, SslOpts) ->
case Ssl of
true ->
Opts1 = add_unbroken_ciphers_default(Opts ++ SslOpts),
- case ssl:listen(Port, Opts1) of
+ Opts2 = add_safe_protocol_versions(Opts1),
+ case ssl:listen(Port, Opts2) of
{ok, ListenSocket} ->
{ok, {ssl, ListenSocket}};
{error, _} = Err ->
@@ -27,7 +28,8 @@ listen(Ssl, Port, Opts, SslOpts) ->
end.
add_unbroken_ciphers_default(Opts) ->
- Ciphers = filter_broken_cipher_suites(proplists:get_value(ciphers, Opts, ssl:cipher_suites())),
+ Default = filter_unsecure_cipher_suites(ssl:cipher_suites()),
+ Ciphers = filter_broken_cipher_suites(proplists:get_value(ciphers, Opts, Default)),
[{ciphers, Ciphers} | proplists:delete(ciphers, Opts)].
filter_broken_cipher_suites(Ciphers) ->
@@ -40,6 +42,31 @@ filter_broken_cipher_suites(Ciphers) ->
Ciphers
end.
+filter_unsecure_cipher_suites(Ciphers) ->
+ lists:filter(fun
+ ({_,des_cbc,_}) -> false;
+ ({_,_,md5}) -> false;
+ (_) -> true
+ end,
+ Ciphers).
+
+add_safe_protocol_versions(Opts) ->
+ case proplists:is_defined(versions, Opts) of
+ true ->
+ Opts;
+ false ->
+ Versions = filter_unsafe_protcol_versions(proplists:get_value(available, ssl:versions())),
+ [{versions, Versions} | Opts]
+ end.
+
+filter_unsafe_protcol_versions(Versions) ->
+ lists:filter(fun
+ (sslv3) -> false;
+ (_) -> true
+ end,
+ Versions).
+
+
accept({ssl, ListenSocket}) ->
% There's a bug in ssl:transport_accept/2 at the moment, which is the
% reason for the try...catch block. Should be fixed in OTP R14.