interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Update default GnuTLS cipher suite priority string to one that gives the same ciphers as the OpenSSL version. 

Also fix deinit segfault.

./gnutls-ciphers "NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL"
Cipher suites for NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL
TLS_ECDHE_RSA_AES_256_GCM_SHA384                  	0xc0, 0x30 TLS1.2
TLS_ECDHE_RSA_AES_128_GCM_SHA256                  	0xc0, 0x2f TLS1.2
TLS_ECDHE_RSA_CHACHA20_POLY1305                   	0xcc, 0xa8 TLS1.2
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384                0xc0, 0x2 TLS1.2
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256                0xc0, 0x2b TLS1.2
TLS_ECDHE_ECDSA_CHACHA20_POLY1305                 0xcc, 0xa9 TLS1.2

$ openssl ciphers -v TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ChaCha20-Poly1305 Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ChaCha20-Poly1305 Mac=AEAD
This commit is contained in:
Jim Hague 2018-12-14 15:23:23 +00:00
parent a4590bafcb
commit c1bf12c8a2
1 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/gnutls/tls.c
View File

@ -43,12 +43,13 @@
/*
* Cipher suites recommended in RFC7525.
*
* The GnuTLS 3.5.19 being used for this proof of concept doesn't have
* TLS 1.3 support, as in the OpenSSL equivalent. Fall back for now to
* a known working priority string.
* The following string generates a list with the same ciphers that are
* generated by the equivalent string in the OpenSSL version of this file.
*/
char const * const _getdns_tls_context_default_cipher_list =
"SECURE128:SECURE192:-VERS-TLS1.0:-VERS-TLS1.1";
"NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:"
"+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:"
"+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL";
static char const * const _getdns_tls_connection_opportunistic_cipher_list =
"NORMAL";
@ -247,8 +248,10 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn
res->shutdown = 0;
res->ctx = ctx;
res->mfs = mfs;
res->tls = NULL;
res->cipher_list = NULL;
res->curve_list = NULL;
res->dane_state = NULL;
res->dane_query = NULL;
res->tlsa = NULL;
@ -288,8 +291,10 @@ getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_c
if (conn->dane_query)
dane_query_deinit(conn->dane_query);
dane_state_deinit(conn->dane_state);
gnutls_deinit(conn->tls);
if (conn->dane_state)
dane_state_deinit(conn->dane_state);
if (conn->tls)
gnutls_deinit(conn->tls);
gnutls_certificate_free_credentials(conn->cred);
GETDNS_FREE(*mfs, conn->tlsa);
GETDNS_FREE(*mfs, conn->curve_list);