diff --git a/src/pkg-tls.c b/src/pkg-tls.c index 41a74b5..b5c16e8 100644 --- a/src/pkg-tls.c +++ b/src/pkg-tls.c @@ -518,12 +518,33 @@ tls_global_init (void) , time_stamp()); goto ssl_init_err; } +#ifdef SSL_CTRL_SET_TMP_ECDH + do { + EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + if (ecdh == NULL) { + debug_message("%s TLS: Error setting ECDHE parameters:\n" + , time_stamp()); + goto ssl_init_err; + } else { + debug_message("%s: TLS: using ECDHE, yai\n" + , time_stamp()); + } + SSL_CTX_set_tmp_ecdh(context,ecdh); + EC_KEY_free(ecdh); + } while (0); +#endif /* Avoid small subgroup attacks */ /* do not do SSLv2 */ SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE); SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); + if (SSL_CTX_set_cipher_list(context, "HIGH:!DSS:!aNULL@STRENGTH") != 1) { + debug_message("SSL_CTX_set_cipher_list failed." + , time_stamp()); + goto ssl_init_err; + } + /* OpenSSL successfully initialised */ tls_available = MY_TRUE; return; @@ -1548,14 +1569,14 @@ f_tls_query_connection_info (svalue_t *sp) #ifdef HAS_OPENSSL put_c_string(&(rc->item[TLS_CIPHER]) , SSL_get_cipher(ip->tls_session)); - put_number(&(rc->item[TLS_COMP]), 0); + put_number(&(rc->item[TLS_COMP]), ip->tls_session->session->compress_meth); put_number(&(rc->item[TLS_KX]), 0); put_number(&(rc->item[TLS_MAC]), 0); put_c_string(&(rc->item[TLS_PROT]) , SSL_get_version(ip->tls_session)); /* warning: this session id is binary .. maybe fix it someday */ - put_c_string(&(rc->item[TLS_SESSION]) - , (char*) ip->tls_session->session->session_id); + put_c_n_string(&(rc->item[TLS_SESSION]) + , (char*) ip->tls_session->session->session_id, ip->tls_session->session->session_id_length); #elif defined(HAS_GNUTLS) put_number(&(rc->item[TLS_CIPHER]) , gnutls_cipher_get(ip->tls_session));