Permalink
Browse files

net_ssl: setup some config flags for decreased attack surface

  • Loading branch information...
moneromooo-monero committed Jan 10, 2019
1 parent 9fe66cc commit cf298a1b52c55a6397baed52f4d58b79bb01d89f
Showing with 19 additions and 1 deletion.
  1. +19 −1 contrib/epee/src/net_ssl.cpp
@@ -27,7 +27,7 @@
// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

#include <boost/asio/ssl.hpp>
#include <openssl/x509.h>
#include <openssl/ssl.h>
#include <openssl/pem.h>
#include "misc_log_ex.h"
#include "net/net_ssl.h"
@@ -133,6 +133,24 @@ ssl_context_t create_ssl_context(const std::string &private_key_path, const std:
// disable sslv2
ssl_context.context.set_options(boost::asio::ssl::context::default_workarounds | boost::asio::ssl::context::no_sslv2);
ssl_context.context.set_default_verify_paths();

// set options on the SSL context for added security
SSL_CTX *ctx = ssl_context.context.native_handle();
CHECK_AND_ASSERT_THROW_MES(ctx, "Failed to get SSL context");
SSL_CTX_clear_options(ctx, SSL_OP_LEGACY_SERVER_CONNECT); // SSL_CTX_SET_OPTIONS(3)
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); // https://stackoverflow.com/questions/22378442
SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET); // https://stackoverflow.com/questions/22378442
SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1); // https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
#if 0
SSL_CTX_set_cipher_list(ctx, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384);
SSL *ssl = SSL_new(ctx);
SSL_set_tlsext_heartbeat_no_requests(ssl, SSL_DTLSEXT_HB_DONT_SEND_REQUESTS | SSL_DTLSEXT_HB_DONT_RECV_REQUESTS);
SSL_free(ssl);
#endif

CHECK_AND_ASSERT_THROW_MES(private_key_path.empty() == certificate_path.empty(), "private key and certificate must be either both given or both empty");
if (certificate_path.empty())
{

0 comments on commit cf298a1

Please sign in to comment.