improve ssl security

- enable TLS 1.1 and 1.2 - disable DES based ciphers (much too small key space) - disable RC4 cipher (broken) - disable SSL3 (but is ignored by erlang_ssl and supported anyway)
author: Jan Huwald <jh@sotun.de> 2014-02-02 23:51:56 (GMT)
committer: Jan Huwald <jh@sotun.de> 2014-02-02 23:51:56 (GMT)
commit: 101cdc6e53f2229a48db9f5fc3bfee5cbdc2f0e0 (patch)
tree: 17e3f0170d55c1852847f34d43a0e9bb22b308d5 /ereproxy_config.erl
parent: 284994d0d88635bdbdc79f08ed7e7a2da87f480a (diff)
1 files changed, 12 insertions, 2 deletions
diff --git a/ereproxy_config.erl b/ereproxy_config.erl
index 37423e4..80bf243 100644
--- a/ereproxy_config.erl
+++ b/ereproxy_config.erl
@@ -1,12 +1,14 @@
 -module(ereproxy_config).
--export([config/0, select_destination/1]).
+-export([ciphers/0, config/0, select_destination/1]).
 
 -include("ereproxy_config.hrl").
 
 config() ->
     #cfg{listen = [{http, 80}, {https, 443}],
 	 ssl_opts = [{certfile, "example/cert.pem"},
-		     {keyfile, "example/key.pem"}]
+		     {keyfile, "example/key.pem"},
+                     {versions, [tlsv1,  'tlsv1.1', 'tlsv1.2']},
+                     {ciphers, ciphers()}]
 	}.
 
 %% select_destination
@@ -29,3 +31,11 @@ destination_list() ->
 	  Dash <- ["", "-"],
 	  TLD <- ["com", "de", "net", "eu", "org", "at"] ]
     ].
+
+ciphers() -> filter_ciphers(ssl:cipher_suites()).
+
+filter_ciphers([{_, '3des_ede_cbc', _} | Rest]) -> filter_ciphers(Rest);
+filter_ciphers([{_, des_cbc,        _} | Rest]) -> filter_ciphers(Rest);
+filter_ciphers([{_, rc4_128,        _} | Rest]) -> filter_ciphers(Rest);
+filter_ciphers([Cipher | Rest]) -> [Cipher | filter_ciphers(Rest)];
+filter_ciphers([]) -> [].
author	Jan Huwald <jh@sotun.de>	2014-02-02 23:51:56 (GMT)
committer	Jan Huwald <jh@sotun.de>	2014-02-02 23:51:56 (GMT)
commit	101cdc6e53f2229a48db9f5fc3bfee5cbdc2f0e0 (patch)
tree	17e3f0170d55c1852847f34d43a0e9bb22b308d5 /ereproxy_config.erl
parent	284994d0d88635bdbdc79f08ed7e7a2da87f480a (diff)