diff options
Diffstat (limited to 'openssl/src')
| -rw-r--r-- | openssl/src/ssl/connector.rs | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index 6469c59e..8f568054 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -5,6 +5,7 @@ use error::ErrorStack; use ssl::{self, SslMethod, SslContextBuilder, SslContext, Ssl, SSL_VERIFY_PEER, SslStream, HandshakeError}; use pkey::PKeyRef; +use version; use x509::X509Ref; #[cfg(ossl101)] @@ -39,8 +40,17 @@ fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> { opts |= ssl::SSL_OP_CIPHER_SERVER_PREFERENCE; ctx.set_options(opts); - let mode = ssl::SSL_MODE_AUTO_RETRY | ssl::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | + let mut mode = ssl::SSL_MODE_AUTO_RETRY | + ssl::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | ssl::SSL_MODE_ENABLE_PARTIAL_WRITE; + + // This is quite a useful optimization for saving memory, but historically + // caused CVEs in OpenSSL pre-1.0.1h, according to + // https://bugs.python.org/issue25672 + if version::number() >= 0x1000108f { + mode |= ssl::SSL_MODE_RELEASE_BUFFERS; + } + ctx.set_mode(mode); Ok(ctx) @@ -56,11 +66,13 @@ impl SslConnectorBuilder { pub fn new(method: SslMethod) -> Result<SslConnectorBuilder, ErrorStack> { let mut ctx = try!(ctx(method)); try!(ctx.set_default_verify_paths()); - // From https://github.com/python/cpython/blob/c30098c8c6014f3340a369a31df9c74bdbacc269/Lib/ssl.py#L191 + // From https://github.com/python/cpython/blob/a170fa162dc03f0a014373349e548954fff2e567/Lib/ssl.py#L193 try!(ctx.set_cipher_list( - "ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:\ - DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:\ - RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!3DES", + "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:\ + TLS13-AES-128-GCM-SHA256:\ + ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:\ + ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:\ + !aNULL:!eNULL:!MD5:!3DES" )); setup_verify(&mut ctx); |