From 101cdc6e53f2229a48db9f5fc3bfee5cbdc2f0e0 Mon Sep 17 00:00:00 2001 From: Jan Huwald Date: Mon, 3 Feb 2014 00:51:56 +0100 Subject: improve ssl security - enable TLS 1.1 and 1.2 - disable DES based ciphers (much too small key space) - disable RC4 cipher (broken) - disable SSL3 (but is ignored by erlang_ssl and supported anyway) diff --git a/ereproxy_config.erl b/ereproxy_config.erl index 37423e4..80bf243 100644 --- a/ereproxy_config.erl +++ b/ereproxy_config.erl @@ -1,12 +1,14 @@ -module(ereproxy_config). --export([config/0, select_destination/1]). +-export([ciphers/0, config/0, select_destination/1]). -include("ereproxy_config.hrl"). config() -> #cfg{listen = [{http, 80}, {https, 443}], ssl_opts = [{certfile, "example/cert.pem"}, - {keyfile, "example/key.pem"}] + {keyfile, "example/key.pem"}, + {versions, [tlsv1, 'tlsv1.1', 'tlsv1.2']}, + {ciphers, ciphers()}] }. %% select_destination @@ -29,3 +31,11 @@ destination_list() -> Dash <- ["", "-"], TLD <- ["com", "de", "net", "eu", "org", "at"] ] ]. + +ciphers() -> filter_ciphers(ssl:cipher_suites()). + +filter_ciphers([{_, '3des_ede_cbc', _} | Rest]) -> filter_ciphers(Rest); +filter_ciphers([{_, des_cbc, _} | Rest]) -> filter_ciphers(Rest); +filter_ciphers([{_, rc4_128, _} | Rest]) -> filter_ciphers(Rest); +filter_ciphers([Cipher | Rest]) -> [Cipher | filter_ciphers(Rest)]; +filter_ciphers([]) -> []. -- cgit v0.10.1