Add a mozilla modern profile

author: Steven Fackler <[email protected]> 2016-10-30 14:57:22 -0700
committer: Steven Fackler <[email protected]> 2016-10-30 14:57:22 -0700
commit: 52f288e090ef5d420ea0692c435c42c30570a957 (patch)
tree: c857f80bd5a6aac7915b7eb00b01d12fac7c31ed /openssl/src/ssl/connector.rs
parent: Rename nwe to mozilla_intermediate (diff)
download: rust-openssl-52f288e090ef5d420ea0692c435c42c30570a957.tar.xz
rust-openssl-52f288e090ef5d420ea0692c435c42c30570a957.zip
1 files changed, 33 insertions, 2 deletions
diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 0bac87cf..701fdeaf 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -101,8 +101,8 @@ pub struct ServerConnectorBuilder(SslContextBuilder);
 impl ServerConnectorBuilder {
     /// Creates a new builder for server-side TLS connections.
     ///
-    /// The default configuration is based off of the intermediate profile of Mozilla's server side
-    /// TLS configuration recommendations, and is subject to change.
+    /// The configuration is based off of the intermediate profile of Mozilla's server side
+    /// TLS configuration recommendations.
     pub fn mozilla_intermediate<I>(method: SslMethod,
                                    private_key: &PKeyRef,
                                    certificate: &X509Ref,
@@ -128,6 +128,37 @@ impl ServerConnectorBuilder {
              DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:\
              EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:\
              AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"));
+        ServerConnectorBuilder::finish_setup(ctx, private_key, certificate, chain)
+    }
+
+    pub fn mozilla_modern<I>(method: SslMethod,
+                             private_key: &PKeyRef,
+                             certificate: &X509Ref,
+                             chain: I)
+                             -> Result<ServerConnectorBuilder, ErrorStack>
+        where I: IntoIterator,
+              I::Item: AsRef<X509Ref>
+    {
+        let mut ctx = try!(ctx(method));
+        ctx.set_options(ssl::SSL_OP_SINGLE_ECDH_USE | ssl::SSL_OP_CIPHER_SERVER_PREFERENCE);
+        try!(setup_curves(&mut ctx));
+        try!(ctx.set_cipher_list(
+            "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
+             ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
+             ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
+             ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:\
+             ECDHE-RSA-AES128-SHA256"));
+        ServerConnectorBuilder::finish_setup(ctx, private_key, certificate, chain)
+    }
+
+    fn finish_setup<I>(mut ctx: SslContextBuilder,
+                       private_key: &PKeyRef,
+                       certificate: &X509Ref,
+                       chain: I)
+                       -> Result<ServerConnectorBuilder, ErrorStack>
+        where I: IntoIterator,
+             I::Item: AsRef<X509Ref>
+    {
         try!(ctx.set_private_key(private_key));
         try!(ctx.set_certificate(certificate));
         try!(ctx.check_private_key());
author	Steven Fackler <[email protected]>	2016-10-30 14:57:22 -0700
committer	Steven Fackler <[email protected]>	2016-10-30 14:57:22 -0700
commit	52f288e090ef5d420ea0692c435c42c30570a957 (patch)
tree	c857f80bd5a6aac7915b7eb00b01d12fac7c31ed /openssl/src/ssl/connector.rs
parent	Rename nwe to mozilla_intermediate (diff)
download	rust-openssl-52f288e090ef5d420ea0692c435c42c30570a957.tar.xz rust-openssl-52f288e090ef5d420ea0692c435c42c30570a957.zip