Mercurial > hg > orthanc
comparison OrthancServer/Sources/main.cpp @ 4381:df313e410f0c varian
Add support to configure minimimum accepted TLS version and cipher suite
author | Andrew Wallis <andrew.wallis@varian.com>> |
---|---|
date | Fri, 11 Dec 2020 11:59:10 -0500 |
parents | 9e2fc6911ac8 |
children | 3aacd2bd8bbc |
comparison
equal
deleted
inserted
replaced
4379:85b5b0e1bac9 | 4381:df313e410f0c |
---|---|
1041 { | 1041 { |
1042 std::string certificate = lock.GetConfiguration().InterpretStringParameterAsPath( | 1042 std::string certificate = lock.GetConfiguration().InterpretStringParameterAsPath( |
1043 lock.GetConfiguration().GetStringParameter("SslCertificate", "certificate.pem")); | 1043 lock.GetConfiguration().GetStringParameter("SslCertificate", "certificate.pem")); |
1044 httpServer.SetSslEnabled(true); | 1044 httpServer.SetSslEnabled(true); |
1045 httpServer.SetSslCertificate(certificate.c_str()); | 1045 httpServer.SetSslCertificate(certificate.c_str()); |
1046 | |
1047 // Default to TLS 1.2 as SSL minimum | |
1048 // See https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md "ssl_protocol_version" for mapping | |
1049 std::string tls1_2 = "4"; | |
1050 std::string minimumVersion = lock.GetConfiguration().GetStringParameter("SslMinimumProtocolVersion", tls1_2); | |
1051 httpServer.SetSslMinimumVersion(minimumVersion); | |
1052 | |
1053 // Default to FIPS 140-2 ciphers | |
1054 const std::vector<std::string> fipsCiphers = { | |
1055 "ECDHE-ECDSA-AES256-GCM-SHA384", | |
1056 "ECDHE-ECDSA-AES256-SHA384", | |
1057 "ECDHE-RSA-AES256-GCM-SHA384", | |
1058 "ECDHE-RSA-AES128-GCM-SHA256", | |
1059 "ECDHE-RSA-AES256-SHA384", | |
1060 "ECDHE-RSA-AES128-SHA256", | |
1061 "ECDHE-RSA-AES128-SHA", | |
1062 "ECDHE-RSA-AES256-SHA", | |
1063 "DHE-RSA-AES256-SHA", | |
1064 "DHE-RSA-AES128-SHA", | |
1065 "AES256-SHA", | |
1066 "AES128-SHA"}; | |
1067 | |
1068 // Format default cipher string | |
1069 std::string defaultCipherString; | |
1070 for (const auto &cipher : fipsCiphers) | |
1071 { | |
1072 defaultCipherString += cipher + ":"; | |
1073 } | |
1074 defaultCipherString.pop_back(); | |
1075 | |
1076 std::string ciphersAccepted = lock.GetConfiguration().GetStringParameter("SslCiphersAccepted", defaultCipherString); | |
1077 httpServer.SetSslCiphers(ciphersAccepted); | |
1046 } | 1078 } |
1047 else | 1079 else |
1048 { | 1080 { |
1049 httpServer.SetSslEnabled(false); | 1081 httpServer.SetSslEnabled(false); |
1050 } | 1082 } |