Security enhancement: TLS configuration #226
Comments
|
i don't think actually wants an api for setting ciphers - this is something it should simply do correctly as a design choice. but its a design choice and ymmv - but its consistent with the purpose of the api. the ciphers should be restricted further, I agree. tls 1.0 and 1.1 are considered acceptable best practice right now (in a way that ssl and rc4 are not) and removing them would break compat with many legacy servers.. as neat endeavors to communicate with non neat system I think the best policy is to keep neat updated with best practices and have it updated independently of the applications it is linked to. |
|
TLS 1.2 is already more than 8 years old. If users really want to use very old legacy systems, they should explicitly request backwards compatibility (or better fix their systems to have state-of-the-art security). The default should be state-of-the-art security, not legacy support. |
|
feel free to make the change if you like. |
In neat_security.c: neat_security_install():
SSL_CTX_set_options(private->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3):
What about adding SSL_OP_NO_TLSv1 and SSL_OP_NO_TLSv1_1 as well, in order to enforce at least TLS 1.2 by default? If a user program wants to allow older versions (TLS 1.0, TLS 1.1), it must explicitly override the default.
SSL_CTX_set_cipher_list(private->ctx, "DEFAULT:-RC4");
This deactivates RC4, which is good. But the TLS ciphers also contain algorithms like DES and SHA-1. What about using only state-of-the-art ciphers by default? If a user program wants to allow weaker algorithms, it must explicitly override the default. NEAT needs an API for setting the ciphers.
The text was updated successfully, but these errors were encountered: