Wire up SECURE_CIPHERS_ONLY

This has been in the codebase for ages but apparently never enabled or wired up at all. Defaults to false for now.
This commit is contained in:
Tamás Bálint Misius 2023-06-11 18:36:16 +02:00
parent b6c6cf00d0
commit ced2700c34
No known key found for this signature in database
GPG Key ID: 5B472A12F6ECA9F2
4 changed files with 44 additions and 34 deletions

View File

@ -202,6 +202,12 @@ option(
value: true, value: true,
description: 'Enforce encrypted HTTP traffic, may be disabled for debugging' description: 'Enforce encrypted HTTP traffic, may be disabled for debugging'
) )
option(
'secure_ciphers_only',
type: 'boolean',
value: false,
description: 'Use only secure ciphers for encrypted HTTP traffic, please review cipher list before enabling'
)
option( option(
'prepare', 'prepare',
type: 'boolean', type: 'boolean',

View File

@ -14,6 +14,7 @@ constexpr bool CAN_INSTALL = @CAN_INSTALL@;
constexpr bool INSTALL_CHECK = @INSTALL_CHECK@; constexpr bool INSTALL_CHECK = @INSTALL_CHECK@;
constexpr bool IGNORE_UPDATES = @IGNORE_UPDATES@; constexpr bool IGNORE_UPDATES = @IGNORE_UPDATES@;
constexpr bool ENFORCE_HTTPS = @ENFORCE_HTTPS@; constexpr bool ENFORCE_HTTPS = @ENFORCE_HTTPS@;
constexpr bool SECURE_CIPHERS_ONLY = @SECURE_CIPHERS_ONLY@;
constexpr char PATH_SEP_CHAR = '@PATH_SEP_CHAR@'; constexpr char PATH_SEP_CHAR = '@PATH_SEP_CHAR@';
constexpr char SERVER[] = "@SERVER@"; constexpr char SERVER[] = "@SERVER@";

View File

@ -496,44 +496,45 @@ namespace http
void SetupCurlEasyCiphers(CURL *easy) void SetupCurlEasyCiphers(CURL *easy)
{ {
#ifdef SECURE_CIPHERS_ONLY if constexpr (SECURE_CIPHERS_ONLY)
curl_version_info_data *version_info = curl_version_info(CURLVERSION_NOW);
ByteString ssl_type = version_info->ssl_version;
if (ssl_type.Contains("OpenSSL"))
{ {
HandleCURLcode(curl_easy_setopt(easy, CURLOPT_SSL_CIPHER_LIST, curl_version_info_data *version_info = curl_version_info(CURLVERSION_NOW);
"ECDHE-ECDSA-AES256-GCM-SHA384" ":" ByteString ssl_type = version_info->ssl_version;
"ECDHE-ECDSA-AES128-GCM-SHA256" ":" if (ssl_type.Contains("OpenSSL"))
"ECDHE-ECDSA-AES256-SHA384" ":" {
"DHE-RSA-AES256-GCM-SHA384" ":" HandleCURLcode(curl_easy_setopt(easy, CURLOPT_SSL_CIPHER_LIST,
"ECDHE-RSA-AES256-GCM-SHA384" ":" "ECDHE-ECDSA-AES256-GCM-SHA384" ":"
"ECDHE-RSA-AES128-GCM-SHA256" ":" "ECDHE-ECDSA-AES128-GCM-SHA256" ":"
"ECDHE-ECDSA-AES128-SHA" ":" "ECDHE-ECDSA-AES256-SHA384" ":"
"ECDHE-ECDSA-AES128-SHA256" ":" "DHE-RSA-AES256-GCM-SHA384" ":"
"ECDHE-RSA-CHACHA20-POLY1305" ":" "ECDHE-RSA-AES256-GCM-SHA384" ":"
"ECDHE-RSA-AES256-SHA384" ":" "ECDHE-RSA-AES128-GCM-SHA256" ":"
"ECDHE-RSA-AES128-SHA256" ":" "ECDHE-ECDSA-AES128-SHA" ":"
"ECDHE-ECDSA-CHACHA20-POLY1305" ":" "ECDHE-ECDSA-AES128-SHA256" ":"
"ECDHE-ECDSA-AES256-SHA" ":" "ECDHE-RSA-CHACHA20-POLY1305" ":"
"ECDHE-RSA-AES128-SHA" ":" "ECDHE-RSA-AES256-SHA384" ":"
"DHE-RSA-AES128-GCM-SHA256" "ECDHE-RSA-AES128-SHA256" ":"
)); "ECDHE-ECDSA-CHACHA20-POLY1305" ":"
"ECDHE-ECDSA-AES256-SHA" ":"
"ECDHE-RSA-AES128-SHA" ":"
"DHE-RSA-AES128-GCM-SHA256"
));
#ifdef REQUEST_USE_CURL_TLSV13CL #ifdef REQUEST_USE_CURL_TLSV13CL
HandleCURLcode(curl_easy_setopt(easy, CURLOPT_TLS13_CIPHERS, HandleCURLcode(curl_easy_setopt(easy, CURLOPT_TLS13_CIPHERS,
"TLS_AES_256_GCM_SHA384" ":" "TLS_AES_256_GCM_SHA384" ":"
"TLS_CHACHA20_POLY1305_SHA256" ":" "TLS_CHACHA20_POLY1305_SHA256" ":"
"TLS_AES_128_GCM_SHA256" ":" "TLS_AES_128_GCM_SHA256" ":"
"TLS_AES_128_CCM_8_SHA256" ":" "TLS_AES_128_CCM_8_SHA256" ":"
"TLS_AES_128_CCM_SHA256" "TLS_AES_128_CCM_SHA256"
)); ));
#endif #endif
}
else if (ssl_type.Contains("Schannel"))
{
// TODO: add more cipher algorithms
HandleCURLcode(curl_easy_setopt(easy, CURLOPT_SSL_CIPHER_LIST, "CALG_ECDH_EPHEM"));
}
} }
else if (ssl_type.Contains("Schannel"))
{
// TODO: add more cipher algorithms
HandleCURLcode(curl_easy_setopt(easy, CURLOPT_SSL_CIPHER_LIST, "CALG_ECDH_EPHEM"));
}
#endif
// TODO: Find out what TLS1.2 is supported on, might need to also allow TLS1.0 // TODO: Find out what TLS1.2 is supported on, might need to also allow TLS1.0
HandleCURLcode(curl_easy_setopt(easy, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2)); HandleCURLcode(curl_easy_setopt(easy, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2));
#if defined(CURL_AT_LEAST_VERSION) && CURL_AT_LEAST_VERSION(7, 70, 0) #if defined(CURL_AT_LEAST_VERSION) && CURL_AT_LEAST_VERSION(7, 70, 0)

View File

@ -21,10 +21,12 @@ conf_data.set('UPDATESERVER', update_server)
conf_data.set('USE_UPDATESERVER', update_server != '' ? 'true' : 'false') conf_data.set('USE_UPDATESERVER', update_server != '' ? 'true' : 'false')
enforce_https = get_option('enforce_https') enforce_https = get_option('enforce_https')
secure_ciphers_only = get_option('secure_ciphers_only')
if not is_debug and not enforce_https if not is_debug and not enforce_https
error('refusing to build a release binary without enforcing HTTPS, configure with -Denforce_https=true to fix this error') error('refusing to build a release binary without enforcing HTTPS, configure with -Denforce_https=true to fix this error')
endif endif
conf_data.set('ENFORCE_HTTPS', enforce_https ? 'true' : 'false') conf_data.set('ENFORCE_HTTPS', enforce_https ? 'true' : 'false')
conf_data.set('SECURE_CIPHERS_ONLY', secure_ciphers_only ? 'true' : 'false')
conf_data.set('IGNORE_UPDATES', get_option('ignore_updates') ? 'true' : 'false') conf_data.set('IGNORE_UPDATES', get_option('ignore_updates') ? 'true' : 'false')
conf_data.set('SERVER', get_option('server')) conf_data.set('SERVER', get_option('server'))