fippo thinks we should enforce forward secrecy

src/pkg-tls.c

@@ -518,12 +518,33 @@ tls_global_init (void)
               , time_stamp());
         goto ssl_init_err;
     }
+#ifdef SSL_CTRL_SET_TMP_ECDH
+    do {
+	EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+	if (ecdh == NULL) {
+		debug_message("%s TLS: Error setting ECDHE parameters:\n"
+			      , time_stamp());
+		goto ssl_init_err;
+	} else {
+		debug_message("%s: TLS: using ECDHE, yai\n"
+			      , time_stamp());
+	}
+	SSL_CTX_set_tmp_ecdh(context,ecdh);
+	EC_KEY_free(ecdh);
+    } while (0);
+#endif
 
     /* Avoid small subgroup attacks */
     /* do not do SSLv2 */
     SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);
     SSL_CTX_set_options(context, SSL_OP_NO_SSLv2);
 
+    if (SSL_CTX_set_cipher_list(context, "HIGH:!DSS:!aNULL@STRENGTH") != 1) {
+        debug_message("SSL_CTX_set_cipher_list failed."
+                    , time_stamp());
+        goto ssl_init_err;
+    }
+
     /* OpenSSL successfully initialised */
     tls_available = MY_TRUE;
     return;
@@ -1548,14 +1569,14 @@ f_tls_query_connection_info (svalue_t *sp)
 #ifdef HAS_OPENSSL
         put_c_string(&(rc->item[TLS_CIPHER])
                     , SSL_get_cipher(ip->tls_session));
-        put_number(&(rc->item[TLS_COMP]), 0);
+        put_number(&(rc->item[TLS_COMP]), ip->tls_session->session->compress_meth);
         put_number(&(rc->item[TLS_KX]), 0);
         put_number(&(rc->item[TLS_MAC]), 0);
         put_c_string(&(rc->item[TLS_PROT])
                     , SSL_get_version(ip->tls_session));
 	/* warning: this session id is binary .. maybe fix it someday */
-	put_c_string(&(rc->item[TLS_SESSION])
+	put_c_n_string(&(rc->item[TLS_SESSION])
-		    , (char*) ip->tls_session->session->session_id);
+		    , (char*) ip->tls_session->session->session_id, ip->tls_session->session->session_id_length);
 #elif defined(HAS_GNUTLS)
         put_number(&(rc->item[TLS_CIPHER])
                   , gnutls_cipher_get(ip->tls_session));