Cipher List Setting #13
Conversation
# Problem can not connect some site. e.g. https://echo.websocket.org https://www.ssllabs.com/ssltest/analyze.html?d=echo.websocket.org Safari can respond 404 but HTTPSClient reset connection by peer # Reason default cipher list `"HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4"` is strict so some server does not reach its requirement. # Fix Able to set cipherList from HTTPSClient it can pass to TCPSSL and then OpenSSL it does not break current program because it uses `cipherList: String? = nil` so exsist code runs exactly it was before.
| @@ -27,17 +27,26 @@ import COpenSSL | |||
| typealias CCallback = @convention(c) Void -> Void | |||
|
|
|||
| public final class SSLClientContext: Context { | |||
| public init(verifyBundle: String? = nil, certificate: String? = nil, privateKey: String? = nil, certificateChain: String? = nil) throws { | |||
| public init(verifyBundle: String? = nil, | |||
There was a problem hiding this comment.
Cyclomatic Complexity Violation: Function should have complexity 10 or less: currently complexity equals 12 (cyclomatic_complexity)
|
related: |
Just removed Cipher List Specification otherwise we find clean solution.
|
Just removed Cipher List Specification otherwise we find clean solution. It would be best we figure clean solution like ContextConfiguration. |
|
related issue |
| try super.init(method: .SSLv23, type: .Client) | ||
|
|
||
| SSL_CTX_set_verify(context, SSL_VERIFY_PEER, nil) | ||
| SSL_CTX_set_verify_depth(context, 4) | ||
| SSL_CTX_set_options(context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION) | ||
|
|
||
| if SSL_CTX_set_cipher_list(context, "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4") != 1 { | ||
| throw Context.Error.Certificate(description: lastSSLErrorDescription) |
There was a problem hiding this comment.
So what is it being set to now?
There was a problem hiding this comment.
@czechboy0 the Open SSL default.. which I don't know what is haha
There was a problem hiding this comment.
That doesn't sound good 😬 We should be kept at high security and only lower it on demand by the client, not the other way around. Can you please find out what setting we have here now, @tomohisa? I'd like to know how secure my servers are after this change.
There was a problem hiding this comment.
But only the client changed. Not the server. And yes, @tomohisa created an issue so we find a way to set the cyphers in a type-safe way. Using option set or enums, etc. You can take the front if you're interested.
There was a problem hiding this comment.
I use this code on servers to fetch data from other servers over https :) And since it was changed I'd like to know what the security setting is now.
There was a problem hiding this comment.
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
@tomohisa can you see if the server you were targeting works with the cipher list on the link I sent, please?
Problem
can not connect some site. e.g. https://echo.websocket.org
https://www.ssllabs.com/ssltest/analyze.html?d=echo.websocket.org
Safari can respond 404 but HTTPSClient reset connection by peer
Reason
default cipher list
"HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4"is strictso some server does not reach its requirement.
Fix
Able to set cipherList from HTTPSClient it can pass to TCPSSL and then
OpenSSL
it does not break current program because it uses
cipherList: String? = nilso exsist code runs exactly it was before.