Wire up SECURE_CIPHERS_ONLY

This has been in the codebase for ages but apparently never enabled or wired up at all. Defaults to false for now.
2023-06-11 18:36:16 +02:00 · 2023-06-11 18:36:16 +02:00 · ced2700c34
commit ced2700c34
parent b6c6cf00d0
4 changed files with 44 additions and 34 deletions
--- a/meson_options.txt
+++ b/meson_options.txt
@ -202,6 +202,12 @@ option(
 	value: true,
 	description: 'Enforce encrypted HTTP traffic, may be disabled for debugging'
 )
+option(
+	'secure_ciphers_only',
+	type: 'boolean',
+	value: false,
+	description: 'Use only secure ciphers for encrypted HTTP traffic, please review cipher list before enabling'
+)
 option(
 	'prepare',
 	type: 'boolean',
--- a/src/Config.template.h
+++ b/src/Config.template.h
@ -14,6 +14,7 @@ constexpr bool CAN_INSTALL              = @CAN_INSTALL@;
 constexpr bool INSTALL_CHECK            = @INSTALL_CHECK@;
 constexpr bool IGNORE_UPDATES           = @IGNORE_UPDATES@;
 constexpr bool ENFORCE_HTTPS            = @ENFORCE_HTTPS@;
+constexpr bool SECURE_CIPHERS_ONLY      = @SECURE_CIPHERS_ONLY@;
 constexpr char PATH_SEP_CHAR            = '@PATH_SEP_CHAR@';

 constexpr char SERVER[]         = "@SERVER@";
--- a/src/client/http/requestmanager/Libcurl.cpp
+++ b/src/client/http/requestmanager/Libcurl.cpp
@ -496,44 +496,45 @@ namespace http

 	void SetupCurlEasyCiphers(CURL *easy)
 	{
-#ifdef SECURE_CIPHERS_ONLY
-		curl_version_info_data *version_info = curl_version_info(CURLVERSION_NOW);
-		ByteString ssl_type = version_info->ssl_version;
-		if (ssl_type.Contains("OpenSSL"))
+		if constexpr (SECURE_CIPHERS_ONLY)
 		{
-			HandleCURLcode(curl_easy_setopt(easy, CURLOPT_SSL_CIPHER_LIST,
-				"ECDHE-ECDSA-AES256-GCM-SHA384" ":"
-				"ECDHE-ECDSA-AES128-GCM-SHA256" ":"
-				"ECDHE-ECDSA-AES256-SHA384"     ":"
-				"DHE-RSA-AES256-GCM-SHA384"     ":"
-				"ECDHE-RSA-AES256-GCM-SHA384"   ":"
-				"ECDHE-RSA-AES128-GCM-SHA256"   ":"
-				"ECDHE-ECDSA-AES128-SHA"        ":"
-				"ECDHE-ECDSA-AES128-SHA256"     ":"
-				"ECDHE-RSA-CHACHA20-POLY1305"   ":"
-				"ECDHE-RSA-AES256-SHA384"       ":"
-				"ECDHE-RSA-AES128-SHA256"       ":"
-				"ECDHE-ECDSA-CHACHA20-POLY1305" ":"
-				"ECDHE-ECDSA-AES256-SHA"        ":"
-				"ECDHE-RSA-AES128-SHA"          ":"
-				"DHE-RSA-AES128-GCM-SHA256"
-			));
+			curl_version_info_data *version_info = curl_version_info(CURLVERSION_NOW);
+			ByteString ssl_type = version_info->ssl_version;
+			if (ssl_type.Contains("OpenSSL"))
+			{
+				HandleCURLcode(curl_easy_setopt(easy, CURLOPT_SSL_CIPHER_LIST,
+					"ECDHE-ECDSA-AES256-GCM-SHA384" ":"
+					"ECDHE-ECDSA-AES128-GCM-SHA256" ":"
+					"ECDHE-ECDSA-AES256-SHA384"     ":"
+					"DHE-RSA-AES256-GCM-SHA384"     ":"
+					"ECDHE-RSA-AES256-GCM-SHA384"   ":"
+					"ECDHE-RSA-AES128-GCM-SHA256"   ":"
+					"ECDHE-ECDSA-AES128-SHA"        ":"
+					"ECDHE-ECDSA-AES128-SHA256"     ":"
+					"ECDHE-RSA-CHACHA20-POLY1305"   ":"
+					"ECDHE-RSA-AES256-SHA384"       ":"
+					"ECDHE-RSA-AES128-SHA256"       ":"
+					"ECDHE-ECDSA-CHACHA20-POLY1305" ":"
+					"ECDHE-ECDSA-AES256-SHA"        ":"
+					"ECDHE-RSA-AES128-SHA"          ":"
+					"DHE-RSA-AES128-GCM-SHA256"
+				));
 #ifdef REQUEST_USE_CURL_TLSV13CL
-			HandleCURLcode(curl_easy_setopt(easy, CURLOPT_TLS13_CIPHERS,
-				"TLS_AES_256_GCM_SHA384"       ":"
-				"TLS_CHACHA20_POLY1305_SHA256" ":"
-				"TLS_AES_128_GCM_SHA256"       ":"
-				"TLS_AES_128_CCM_8_SHA256"     ":"
-				"TLS_AES_128_CCM_SHA256"
-			));
+				HandleCURLcode(curl_easy_setopt(easy, CURLOPT_TLS13_CIPHERS,
+					"TLS_AES_256_GCM_SHA384"       ":"
+					"TLS_CHACHA20_POLY1305_SHA256" ":"
+					"TLS_AES_128_GCM_SHA256"       ":"
+					"TLS_AES_128_CCM_8_SHA256"     ":"
+					"TLS_AES_128_CCM_SHA256"
+				));
 #endif
+			}
+			else if (ssl_type.Contains("Schannel"))
+			{
+				// TODO: add more cipher algorithms
+				HandleCURLcode(curl_easy_setopt(easy, CURLOPT_SSL_CIPHER_LIST, "CALG_ECDH_EPHEM"));
+			}
 		}
-		else if (ssl_type.Contains("Schannel"))
-		{
-			// TODO: add more cipher algorithms
-			HandleCURLcode(curl_easy_setopt(easy, CURLOPT_SSL_CIPHER_LIST, "CALG_ECDH_EPHEM"));
-		}
-#endif
 		// TODO: Find out what TLS1.2 is supported on, might need to also allow TLS1.0
 		HandleCURLcode(curl_easy_setopt(easy, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2));
 #if defined(CURL_AT_LEAST_VERSION) && CURL_AT_LEAST_VERSION(7, 70, 0)
--- a/src/meson.build
+++ b/src/meson.build
@ -21,10 +21,12 @@ conf_data.set('UPDATESERVER', update_server)
 conf_data.set('USE_UPDATESERVER', update_server != '' ? 'true' : 'false')

 enforce_https = get_option('enforce_https')
+secure_ciphers_only = get_option('secure_ciphers_only')
 if not is_debug and not enforce_https
 	error('refusing to build a release binary without enforcing HTTPS, configure with -Denforce_https=true to fix this error')
 endif
 conf_data.set('ENFORCE_HTTPS', enforce_https ? 'true' : 'false')
+conf_data.set('SECURE_CIPHERS_ONLY', secure_ciphers_only ? 'true' : 'false')

 conf_data.set('IGNORE_UPDATES', get_option('ignore_updates') ? 'true' : 'false')
 conf_data.set('SERVER', get_option('server'))