openssl: Prefer tls1.2. Only use secure ciphers.

diff --git a/basis/io/sockets/secure/openssl/openssl.factor b/basis/io/sockets/secure/openssl/openssl.factor
index b87e3951c9258c648d2661aebf16f9073627ac33..711d4dc2c72cfd8907b9b2182a0699266b12d5c3 100644 (file)
--- a/basis/io/sockets/secure/openssl/openssl.factor
+++ b/basis/io/sockets/secure/openssl/openssl.factor
@@ -12,8 +12,9 @@ splitting unicode.case ;
 IN: io.sockets.secure.openssl
 
 GENERIC: ssl-method ( symbol -- method )
-
-M: TLSv1  ssl-method drop TLSv1_method ;
+M: TLSv1 ssl-method drop TLSv1_method ;
+M: TLSv1.1 ssl-method drop TLSv1_1_method ;
+M: TLSv1.2 ssl-method drop TLSv1_2_method ;
 
 TUPLE: openssl-context < secure-context aliens sessions ;
 
@@ -163,12 +164,18 @@ SYMBOL: default-secure-context
 : save-session ( session addrspec -- )
     current-secure-context sessions>> set-at ;
 
+: set-secure-cipher-list-only ( ssl -- ssl )
+    dup handle>>
+    "DES-CBC3-SHA:IDEA-CBC-SHA:AES128-SHA:CAMELLIA128-SHA:AES256-SHA:CAMELLIA256-SHA"
+    SSL_set_cipher_list ssl-error ;
+
 : <ssl-handle> ( fd -- ssl )
     [
         ssl-handle new-disposable |dispose
-        current-secure-context handle>> SSL_new
+        current-secure-context handle>> SSL_new |dispose
         dup ssl-error >>handle
         swap >>file
+        set-secure-cipher-list-only
     ] with-destructors ;
 
 :: <ssl-socket> ( winsock hostname -- ssl )

diff --git a/basis/io/sockets/secure/secure.factor b/basis/io/sockets/secure/secure.factor
index 2ef50a07a13df0e45c91b4a1a5e9c4a32f1950f2..9536ed7d33f4dbdd7c5cb69e7d503bea4532f1b1 100644 (file)
--- a/basis/io/sockets/secure/secure.factor
+++ b/basis/io/sockets/secure/secure.factor
@@ -1,8 +1,8 @@
 ! Copyright (C) 2008, 2010 Slava Pestov.
 ! See http://factorcode.org/license.txt for BSD license.
-USING: accessors calendar combinators delegate destructors io
-io.sockets io.sockets.private kernel namespaces present
-sequences summary system vocabs ;
+USING: accessors alien.libraries calendar combinators delegate
+destructors io io.sockets io.sockets.private kernel memoize
+namespaces present sequences summary system vocabs ;
 IN: io.sockets.secure
 
 SYMBOL: secure-socket-timeout
@@ -17,7 +17,17 @@ HOOK: ssl-certificate-verification-supported? secure-socket-backend ( -- ? )
 M: object ssl-supported? f ;
 M: object ssl-certificate-verification-supported? f ;
 
-SINGLETONS: TLSv1 ;
+SINGLETONS: TLSv1 TLSv1.1 TLSv1.2 ;
+
+ERROR: no-tls-supported ;
+
+MEMO: best-tls-method ( -- class )
+    {
+        { [ "TLSv1_2_method" "libssl" dlsym? ] [ TLSv1.2 ] }
+        { [ "TLSv1_1_method" "libssl" dlsym? ] [ TLSv1.1 ] }
+        { [ "TLSv1_method" "libssl" dlsym? ] [ TLSv1 ] }
+        [ no-tls-supported ]
+    } cond ;
 
 TUPLE: secure-config
 method
@@ -30,7 +40,7 @@ ephemeral-key-bits ;
 
 : <secure-config> ( -- config )
     secure-config new
-        TLSv1 >>method
+        best-tls-method >>method
         1024 >>ephemeral-key-bits
         ssl-certificate-verification-supported? >>verify ;
 

diff --git a/basis/openssl/libssl/libssl.factor b/basis/openssl/libssl/libssl.factor
index e9c101dc6f44e0523ac1c8cee92e7c8d458b1287..18ed03a6aaca0f054fb61032d69a9ac5a5b4f5d1 100644 (file)
--- a/basis/openssl/libssl/libssl.factor
+++ b/basis/openssl/libssl/libssl.factor
@@ -362,6 +362,10 @@ FUNCTION: ssl-method TLSv1_server_method (  )
 
 FUNCTION: ssl-method TLSv1_method (  )
 
+FUNCTION: ssl-method TLSv1_1_method (  )
+
+FUNCTION: ssl-method TLSv1_2_method (  )
+
 ! Creates the context
 FUNCTION: SSL_CTX* SSL_CTX_new ( ssl-method method )
 

diff --git a/basis/openssl/openssl.factor b/basis/openssl/openssl.factor
index 9315e43a392c5a39bc5ecdb65b6fb82cb8eaca52..0e1a39633226dd87887ff7db88cf9302c6402f6a 100644 (file)
--- a/basis/openssl/openssl.factor
+++ b/basis/openssl/openssl.factor
@@ -23,8 +23,7 @@ SINGLETON: openssl
 : init-ssl ( -- )
     SSL_library_init ssl-error
     SSL_load_error_strings
-    OpenSSL_add_all_digests
-    OpenSSL_add_all_ciphers ;
+    OpenSSL_add_all_digests ;
 
 SYMBOL: ssl-initialized?