Improve SSL handshaking & cipher negotiation:

The default SSL cipher list introduced with 0.50.0 in commit 2c87739 was overly restrictive and resulted in clients unable to negotiate SSL connections. Adjust the default cipher to the more sensible: HIGH:MEDIUM:!aNULL:!MD5:!DSS:!3DES:!RC4:!EXPORT Correct a bug that would not allow an SSL handshake to properly complete if the port was configured using the `wss` keyword.
2025-11-24 12:35:50 +00:00 · 2017-01-28 21:56:00 -08:00
parent 77999579b5
commit 708fc6cd6f
2 changed files with 2 additions and 2 deletions
--- a/src/ripple/basics/impl/make_SSLContext.cpp
+++ b/src/ripple/basics/impl/make_SSLContext.cpp
@@ -36,7 +36,7 @@ namespace detail {
 // detection/prevention, we also have websocket and rpc scenarios
 // and want to ensure weak ciphers can't be used.
 char const defaultCipherList[] =
-    "HIGH:!aNULL:!MD5:!DSS:!SHA1:!3DES:!RC4:!EXPORT:!DSS";
+    "HIGH:MEDIUM:!aNULL:!MD5:!DSS:!3DES:!RC4:!EXPORT";

 template <class>
 struct custom_delete;
--- a/src/ripple/server/impl/SSLHTTPPeer.h
+++ b/src/ripple/server/impl/SSLHTTPPeer.h
@@ -132,7 +132,7 @@ do_handshake(yield_context do_yield)
        return this->fail(ec, "handshake");
    bool const http =
        this->port().protocol.count("peer") > 0 ||
-        //port().protocol.count("wss") > 0 ||
+        this->port().protocol.count("wss") > 0 ||
        this->port().protocol.count("wss2") > 0 ||
        this->port().protocol.count("https") > 0;
    if(http)