Harden default TLS configuration (RIPD-1332, RIPD-1333, RIPD-1334):

The existing configuration includes 512 and 1024 bit DH parameters and supports ciphers such as RC4 and 3DES and hash algorithms like SHA-1 which are no longer considered secure. Going forward, use only 2048-bit DH parameters and define a new default set of modern ciphers to use: HIGH:!aNULL:!MD5:!DSS:!SHA1:!3DES:!RC4:!EXPORT:!DSS Additionally, allow administrators who wish to have different settings to configure custom global and per-port ciphers suites in the configuration file using the `ssl_ciphers` directive.
2025-12-06 17:27:52 +00:00 · 2016-11-21 17:22:32 -08:00
parent b00b81a861
commit 2c87739d6c
8 changed files with 119 additions and 196 deletions
--- a/src/ripple/rpc/impl/ServerHandlerImp.cpp
+++ b/src/ripple/rpc/impl/ServerHandlerImp.cpp
@@ -770,10 +770,11 @@ ServerHandler::Setup::makeContexts()
        {
            if (p.ssl_key.empty() && p.ssl_cert.empty() &&
                    p.ssl_chain.empty())
-                p.context = make_SSLContext();
+                p.context = make_SSLContext(p.ssl_ciphers);
            else
                p.context = make_SSLContextAuthed (
-                    p.ssl_key, p.ssl_cert, p.ssl_chain);
+                    p.ssl_key, p.ssl_cert, p.ssl_chain,
+                    p.ssl_ciphers);
        }
        else
        {
@@ -828,6 +829,7 @@ to_Port(ParsedPort const& parsed, std::ostream& log)
    p.ssl_key = parsed.ssl_key;
    p.ssl_cert = parsed.ssl_cert;
    p.ssl_chain = parsed.ssl_chain;
+    p.ssl_ciphers = parsed.ssl_ciphers;

    return p;
 }