Mercurial > hg > orthanc
comparison OrthancServer/Sources/main.cpp @ 4381:df313e410f0c varian
Add support to configure minimimum accepted TLS version and cipher suite
| author | Andrew Wallis <andrew.wallis@varian.com>> |
|---|---|
| date | Fri, 11 Dec 2020 11:59:10 -0500 |
| parents | 9e2fc6911ac8 |
| children | 3aacd2bd8bbc |
comparison
equal
deleted
inserted
replaced
| 4379:85b5b0e1bac9 | 4381:df313e410f0c |
|---|---|
| 1041 { | 1041 { |
| 1042 std::string certificate = lock.GetConfiguration().InterpretStringParameterAsPath( | 1042 std::string certificate = lock.GetConfiguration().InterpretStringParameterAsPath( |
| 1043 lock.GetConfiguration().GetStringParameter("SslCertificate", "certificate.pem")); | 1043 lock.GetConfiguration().GetStringParameter("SslCertificate", "certificate.pem")); |
| 1044 httpServer.SetSslEnabled(true); | 1044 httpServer.SetSslEnabled(true); |
| 1045 httpServer.SetSslCertificate(certificate.c_str()); | 1045 httpServer.SetSslCertificate(certificate.c_str()); |
| 1046 | |
| 1047 // Default to TLS 1.2 as SSL minimum | |
| 1048 // See https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md "ssl_protocol_version" for mapping | |
| 1049 std::string tls1_2 = "4"; | |
| 1050 std::string minimumVersion = lock.GetConfiguration().GetStringParameter("SslMinimumProtocolVersion", tls1_2); | |
| 1051 httpServer.SetSslMinimumVersion(minimumVersion); | |
| 1052 | |
| 1053 // Default to FIPS 140-2 ciphers | |
| 1054 const std::vector<std::string> fipsCiphers = { | |
| 1055 "ECDHE-ECDSA-AES256-GCM-SHA384", | |
| 1056 "ECDHE-ECDSA-AES256-SHA384", | |
| 1057 "ECDHE-RSA-AES256-GCM-SHA384", | |
| 1058 "ECDHE-RSA-AES128-GCM-SHA256", | |
| 1059 "ECDHE-RSA-AES256-SHA384", | |
| 1060 "ECDHE-RSA-AES128-SHA256", | |
| 1061 "ECDHE-RSA-AES128-SHA", | |
| 1062 "ECDHE-RSA-AES256-SHA", | |
| 1063 "DHE-RSA-AES256-SHA", | |
| 1064 "DHE-RSA-AES128-SHA", | |
| 1065 "AES256-SHA", | |
| 1066 "AES128-SHA"}; | |
| 1067 | |
| 1068 // Format default cipher string | |
| 1069 std::string defaultCipherString; | |
| 1070 for (const auto &cipher : fipsCiphers) | |
| 1071 { | |
| 1072 defaultCipherString += cipher + ":"; | |
| 1073 } | |
| 1074 defaultCipherString.pop_back(); | |
| 1075 | |
| 1076 std::string ciphersAccepted = lock.GetConfiguration().GetStringParameter("SslCiphersAccepted", defaultCipherString); | |
| 1077 httpServer.SetSslCiphers(ciphersAccepted); | |
| 1046 } | 1078 } |
| 1047 else | 1079 else |
| 1048 { | 1080 { |
| 1049 httpServer.SetSslEnabled(false); | 1081 httpServer.SetSslEnabled(false); |
| 1050 } | 1082 } |