Mercurial > hg > orthanc
comparison OrthancServer/Sources/main.cpp @ 4382:3aacd2bd8bbc varian
review changeset 4381:df313e410f0c
| author | Sebastien Jodogne <s.jodogne@gmail.com> |
|---|---|
| date | Thu, 17 Dec 2020 15:10:04 +0100 |
| parents | df313e410f0c |
| children | 80fd140b12ba |
comparison
equal
deleted
inserted
replaced
| 4381:df313e410f0c | 4382:3aacd2bd8bbc |
|---|---|
| 1044 httpServer.SetSslEnabled(true); | 1044 httpServer.SetSslEnabled(true); |
| 1045 httpServer.SetSslCertificate(certificate.c_str()); | 1045 httpServer.SetSslCertificate(certificate.c_str()); |
| 1046 | 1046 |
| 1047 // Default to TLS 1.2 as SSL minimum | 1047 // Default to TLS 1.2 as SSL minimum |
| 1048 // See https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md "ssl_protocol_version" for mapping | 1048 // See https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md "ssl_protocol_version" for mapping |
| 1049 std::string tls1_2 = "4"; | 1049 static const unsigned int TLS_1_2 = 4; |
| 1050 std::string minimumVersion = lock.GetConfiguration().GetStringParameter("SslMinimumProtocolVersion", tls1_2); | 1050 unsigned int minimumVersion = lock.GetConfiguration().GetUnsignedIntegerParameter("SslMinimumProtocolVersion", TLS_1_2); |
| 1051 httpServer.SetSslMinimumVersion(minimumVersion); | 1051 httpServer.SetSslMinimumVersion(minimumVersion); |
| 1052 | 1052 |
| 1053 // Default to FIPS 140-2 ciphers | 1053 static const char* SSL_CIPHERS_ACCEPTED = "SslCiphersAccepted"; |
| 1054 const std::vector<std::string> fipsCiphers = { | 1054 |
| 1055 "ECDHE-ECDSA-AES256-GCM-SHA384", | 1055 std::list<std::string> ciphers; |
| 1056 "ECDHE-ECDSA-AES256-SHA384", | 1056 |
| 1057 "ECDHE-RSA-AES256-GCM-SHA384", | 1057 if (lock.GetJson().type() == Json::objectValue && |
| 1058 "ECDHE-RSA-AES128-GCM-SHA256", | 1058 lock.GetJson().isMember(SSL_CIPHERS_ACCEPTED)) |
| 1059 "ECDHE-RSA-AES256-SHA384", | |
| 1060 "ECDHE-RSA-AES128-SHA256", | |
| 1061 "ECDHE-RSA-AES128-SHA", | |
| 1062 "ECDHE-RSA-AES256-SHA", | |
| 1063 "DHE-RSA-AES256-SHA", | |
| 1064 "DHE-RSA-AES128-SHA", | |
| 1065 "AES256-SHA", | |
| 1066 "AES128-SHA"}; | |
| 1067 | |
| 1068 // Format default cipher string | |
| 1069 std::string defaultCipherString; | |
| 1070 for (const auto &cipher : fipsCiphers) | |
| 1071 { | 1059 { |
| 1072 defaultCipherString += cipher + ":"; | 1060 lock.GetConfiguration().GetListOfStringsParameter(ciphers, SSL_CIPHERS_ACCEPTED); |
| 1073 } | 1061 } |
| 1074 defaultCipherString.pop_back(); | 1062 else |
| 1075 | 1063 { |
| 1076 std::string ciphersAccepted = lock.GetConfiguration().GetStringParameter("SslCiphersAccepted", defaultCipherString); | 1064 // Defaults to FIPS 140-2 ciphers |
| 1077 httpServer.SetSslCiphers(ciphersAccepted); | 1065 CLOG(INFO, HTTP) << "No configuration option \"" << SSL_CIPHERS_ACCEPTED |
| 1066 << "\", will accept the FIPS 140-2 ciphers"; | |
| 1067 | |
| 1068 ciphers.push_back("ECDHE-ECDSA-AES256-GCM-SHA384"); | |
| 1069 ciphers.push_back("ECDHE-ECDSA-AES256-SHA384"); | |
| 1070 ciphers.push_back("ECDHE-RSA-AES256-GCM-SHA384"); | |
| 1071 ciphers.push_back("ECDHE-RSA-AES128-GCM-SHA256"); | |
| 1072 ciphers.push_back("ECDHE-RSA-AES256-SHA384"); | |
| 1073 ciphers.push_back("ECDHE-RSA-AES128-SHA256"); | |
| 1074 ciphers.push_back("ECDHE-RSA-AES128-SHA"); | |
| 1075 ciphers.push_back("ECDHE-RSA-AES256-SHA"); | |
| 1076 ciphers.push_back("DHE-RSA-AES256-SHA"); | |
| 1077 ciphers.push_back("DHE-RSA-AES128-SHA"); | |
| 1078 ciphers.push_back("AES256-SHA"); | |
| 1079 ciphers.push_back("AES128-SHA"); | |
| 1080 } | |
| 1081 | |
| 1082 httpServer.SetSslCiphers(ciphers); | |
| 1078 } | 1083 } |
| 1079 else | 1084 else |
| 1080 { | 1085 { |
| 1081 httpServer.SetSslEnabled(false); | 1086 httpServer.SetSslEnabled(false); |
| 1082 } | 1087 } |