You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by rn...@apache.org on 2015/07/29 17:54:47 UTC

[18/50] mochiweb commit: updated refs/heads/upstream to b66b68d

SSL: remove unsafe ciphers and protocols from the default options.


Project: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/commit/68d21780
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/tree/68d21780
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/diff/68d21780

Branch: refs/heads/upstream
Commit: 68d217805b2b683309169f4fec132ce293997cf1
Parents: 95c0c92
Author: Marc Worrell <ma...@worrell.nl>
Authored: Wed Oct 15 12:18:33 2014 +0200
Committer: Marc Worrell <ma...@worrell.nl>
Committed: Wed Oct 15 12:46:17 2014 +0200

----------------------------------------------------------------------
 src/mochiweb_socket.erl | 31 +++++++++++++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/blob/68d21780/src/mochiweb_socket.erl
----------------------------------------------------------------------
diff --git a/src/mochiweb_socket.erl b/src/mochiweb_socket.erl
index fff0b42..8cd074f 100644
--- a/src/mochiweb_socket.erl
+++ b/src/mochiweb_socket.erl
@@ -16,7 +16,8 @@ listen(Ssl, Port, Opts, SslOpts) ->
     case Ssl of
         true ->
             Opts1 = add_unbroken_ciphers_default(Opts ++ SslOpts),
-            case ssl:listen(Port, Opts1) of
+            Opts2 = add_safe_protocol_versions(Opts1),
+            case ssl:listen(Port, Opts2) of
                 {ok, ListenSocket} ->
                     {ok, {ssl, ListenSocket}};
                 {error, _} = Err ->
@@ -27,7 +28,8 @@ listen(Ssl, Port, Opts, SslOpts) ->
     end.
 
 add_unbroken_ciphers_default(Opts) ->
-    Ciphers = filter_broken_cipher_suites(proplists:get_value(ciphers, Opts, ssl:cipher_suites())),
+    Default = filter_unsecure_cipher_suites(ssl:cipher_suites()),
+    Ciphers = filter_broken_cipher_suites(proplists:get_value(ciphers, Opts, Default)),
     [{ciphers, Ciphers} | proplists:delete(ciphers, Opts)].
 
 filter_broken_cipher_suites(Ciphers) ->
@@ -40,6 +42,31 @@ filter_broken_cipher_suites(Ciphers) ->
             Ciphers
     end.
 
+filter_unsecure_cipher_suites(Ciphers) ->
+    lists:filter(fun
+                    ({_,des_cbc,_}) -> false;
+                    ({_,_,md5}) -> false;
+                    (_) -> true
+                 end,
+                 Ciphers).
+
+add_safe_protocol_versions(Opts) ->
+    case proplists:is_defined(versions, Opts) of
+        true ->
+            Opts;
+        false ->
+            Versions = filter_unsafe_protcol_versions(proplists:get_value(available, ssl:versions())),
+            [{versions, Versions} | Opts]
+    end.
+
+filter_unsafe_protcol_versions(Versions) ->
+    lists:filter(fun
+                    (sslv3) -> false;
+                    (_) -> true
+                 end,
+                 Versions).
+
+
 accept({ssl, ListenSocket}) ->
     % There's a bug in ssl:transport_accept/2 at the moment, which is the
     % reason for the try...catch block. Should be fixed in OTP R14.