Recommended cipher list for server side.

Summary: A SSLOptions recommended for cipher use. Reviewed By: yfeldblum Differential Revision: D5614280 fbshipit-source-id: a6b1adfa8d168f35c7bc7d4088c4073c3f4084a5
facebook · Aug 19, 2017 · f2ddd0e · f2ddd0e
1 parent 0e0710e
commit f2ddd0e
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/folly/io/async/SSLOptions.cpp b/folly/io/async/SSLOptions.cpp
@@ -29,6 +29,7 @@ void logDfatal(std::exception const& e) {
 
 constexpr std::array<const char*, 12> SSLCommonOptions::kCipherList;
 constexpr std::array<const char*, 8> SSLCommonOptions::kSignatureAlgorithms;
+constexpr std::array<const char*, 12> SSLServerOptions::kCipherList;
 
 void SSLCommonOptions::setClientOptions(SSLContext& ctx) {
 #ifdef SSL_MODE_HANDSHAKE_CUTTHROUGH

diff --git a/folly/io/async/SSLOptions.h b/folly/io/async/SSLOptions.h
@@ -66,6 +66,28 @@ struct SSLCommonOptions {
   static void setClientOptions(SSLContext& ctx);
 };
 
+/**
+ * Recommended SSL options for server-side scenario.
+ */
+struct SSLServerOptions {
+  /**
+   * The list of ciphers recommended for server use.
+   */
+  static constexpr auto kCipherList = folly::make_array(
+      "ECDHE-ECDSA-AES128-GCM-SHA256",
+      "ECDHE-ECDSA-AES256-GCM-SHA384",
+      "ECDHE-ECDSA-AES128-SHA",
+      "ECDHE-ECDSA-AES256-SHA",
+      "ECDHE-RSA-AES128-GCM-SHA256",
+      "ECDHE-RSA-AES256-GCM-SHA384",
+      "ECDHE-RSA-AES128-SHA",
+      "ECDHE-RSA-AES256-SHA",
+      "AES128-GCM-SHA256",
+      "AES256-GCM-SHA384",
+      "AES128-SHA",
+      "AES256-SHA");
+};
+
 /**
  * Set the cipher suite of ctx to that in TSSLOptions, and print any runtime
  * error it catches.