mirror of
https://github.com/apache/httpd.git
synced 2025-08-01 07:26:57 +03:00
352d92c698
mod_ssl TLSv1.3 support, removed V1_3 cipher suite directives again and added an optional protocol specifier to the SSLCipherSuite and SSLProxyCipherSuite commands. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827992 13f79535-47bb-0310-9956-ffa450edef68
89 lines
4.7 KiB
C
89 lines
4.7 KiB
C
/* Licensed to the Apache Software Foundation (ASF) under one or more
|
|
* contributor license agreements. See the NOTICE file distributed with
|
|
* this work for additional information regarding copyright ownership.
|
|
* The ASF licenses this file to You under the Apache License, Version 2.0
|
|
* (the "License"); you may not use this file except in compliance with
|
|
* the License. You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
/**
|
|
* @verbatim
|
|
_ _
|
|
_ __ ___ ___ __| | ___ ___| | mod_ssl
|
|
| '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
|
|
| | | | | | (_) | (_| | \__ \__ \ |
|
|
|_| |_| |_|\___/ \__,_|___|___/___/_|
|
|
|_____|
|
|
@endverbatim
|
|
* @file ssl_policies.h
|
|
* @brief Additional Utility Functions for OpenSSL
|
|
*
|
|
* @defgroup MOD_SSL_UTIL Utilities
|
|
* @ingroup MOD_SSL
|
|
* @{
|
|
*/
|
|
|
|
#ifndef __SSL_POLICIES_H__
|
|
#define __SSL_POLICIES_H__
|
|
|
|
#define SSL_MOD_POLICIES_KEY "ssl_module_policies"
|
|
|
|
#ifndef OPENSSL_NO_SSL3
|
|
#define SSL_PROTOCOL_CONSTANTS_SSLV3 SSL_PROTOCOL_SSLV3
|
|
#else
|
|
#define SSL_PROTOCOL_CONSTANTS_SSLV3 0
|
|
#endif
|
|
|
|
#ifdef HAVE_TLSV1_X
|
|
#define SSL_POLICY_LEGACY_PROTOCOLS \
|
|
(SSL_PROTOCOL_CONSTANTS_SSLV3|SSL_PROTOCOL_TLSV1|SSL_PROTOCOL_TLSV1_1)
|
|
#endif
|
|
|
|
/* Settings for all policies */
|
|
#define SSL_POLICY_HONOR_ORDER 1
|
|
#define SSL_POLICY_COMPRESSION 0
|
|
#define SSL_POLICY_SESSION_TICKETS 0
|
|
|
|
/**
|
|
* Define a core set of policies that are always there:
|
|
* - 'modern' from https://wiki.mozilla.org/Security/Server_Side_TLS
|
|
* - 'intermediate' from https://wiki.mozilla.org/Security/Server_Side_TLS
|
|
* - 'old' from https://wiki.mozilla.org/Security/Server_Side_TLS
|
|
* The JSON version can be retrieved here:
|
|
* https://statics.tls.security.mozilla.org/server-side-tls-conf.json
|
|
*/
|
|
|
|
#define SSL_POLICY_MOZILLA_VERSION 4.0
|
|
|
|
#ifdef HAVE_TLSV1_X
|
|
#define SSL_POLICY_MODERN 1
|
|
#define SSL_POLICY_MODERN_SSL_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
|
|
#define SSL_POLICY_MODERN_TLS13_CIPHERS NULL
|
|
#define SSL_POLICY_MODERN_PROTOCOLS (SSL_PROTOCOL_TLSV1_2|SSL_PROTOCOL_TLSV1_3)
|
|
#else /* ifdef HAVE_TLSV1_X */
|
|
#define SSL_POLICY_MODERN 0
|
|
#endif /* ifdef HAVE_TLSV1_X, else part */
|
|
|
|
#define SSL_POLICY_INTERMEDIATE 1
|
|
#define SSL_POLICY_INTERMEDIATE_SSL_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
|
|
#define SSL_POLICY_INTERMEDIATE_TLS13_CIPHERS NULL
|
|
#define SSL_POLICY_INTERMEDIATE_PROTOCOLS (SSL_PROTOCOL_ALL & ~(SSL_PROTOCOL_TLSV1_3|SSL_PROTOCOL_CONSTANTS_SSLV3))
|
|
|
|
#define SSL_POLICY_OLD 1
|
|
#define SSL_POLICY_OLD_SSL_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP"
|
|
#define SSL_POLICY_OLD_TLS13_CIPHERS NULL
|
|
#define SSL_POLICY_OLD_PROTOCOLS (SSL_PROTOCOL_ALL & ~(SSL_PROTOCOL_TLSV1_3))
|
|
|
|
|
|
#endif /* __SSL_POLICIES_H__ */
|
|
/** @} */
|
|
|