Mercurial > hg > orthanc

diff OrthancServer/Sources/main.cpp @ 4382:3aacd2bd8bbc varian

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
review changeset 4381:df313e410f0c
author Sebastien Jodogne <s.jodogne@gmail.com>
date Thu, 17 Dec 2020 15:10:04 +0100
parents df313e410f0c
children 80fd140b12ba
line wrap: on
line diff
--- a/OrthancServer/Sources/main.cpp	Fri Dec 11 11:59:10 2020 -0500
+++ b/OrthancServer/Sources/main.cpp	Thu Dec 17 15:10:04 2020 +0100
@@ -1046,35 +1046,40 @@
         
         // Default to TLS 1.2 as SSL minimum
         // See https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md "ssl_protocol_version" for mapping
-        std::string tls1_2 = "4";
-        std::string minimumVersion = lock.GetConfiguration().GetStringParameter("SslMinimumProtocolVersion", tls1_2);
+        static const unsigned int TLS_1_2 = 4;
+        unsigned int minimumVersion = lock.GetConfiguration().GetUnsignedIntegerParameter("SslMinimumProtocolVersion", TLS_1_2);
         httpServer.SetSslMinimumVersion(minimumVersion);
 
-        // Default to FIPS 140-2 ciphers 
-        const std::vector<std::string> fipsCiphers = { 
-          "ECDHE-ECDSA-AES256-GCM-SHA384", 
-          "ECDHE-ECDSA-AES256-SHA384",
-          "ECDHE-RSA-AES256-GCM-SHA384", 
-          "ECDHE-RSA-AES128-GCM-SHA256", 
-          "ECDHE-RSA-AES256-SHA384",
-          "ECDHE-RSA-AES128-SHA256", 
-          "ECDHE-RSA-AES128-SHA", 
-          "ECDHE-RSA-AES256-SHA", 
-          "DHE-RSA-AES256-SHA",
-          "DHE-RSA-AES128-SHA", 
-          "AES256-SHA",
-          "AES128-SHA"};
+        static const char* SSL_CIPHERS_ACCEPTED = "SslCiphersAccepted";
+
+        std::list<std::string> ciphers;
+
+        if (lock.GetJson().type() == Json::objectValue &&
+            lock.GetJson().isMember(SSL_CIPHERS_ACCEPTED))
+        {
+          lock.GetConfiguration().GetListOfStringsParameter(ciphers, SSL_CIPHERS_ACCEPTED);
+        }
+        else
+        {
+          // Defaults to FIPS 140-2 ciphers 
+          CLOG(INFO, HTTP) << "No configuration option \"" << SSL_CIPHERS_ACCEPTED
+                           << "\", will accept the FIPS 140-2 ciphers";
 
-        // Format default cipher string
-        std::string defaultCipherString;
-        for (const auto &cipher : fipsCiphers)
-        {
-          defaultCipherString += cipher + ":";
+          ciphers.push_back("ECDHE-ECDSA-AES256-GCM-SHA384");
+          ciphers.push_back("ECDHE-ECDSA-AES256-SHA384");
+          ciphers.push_back("ECDHE-RSA-AES256-GCM-SHA384");
+          ciphers.push_back("ECDHE-RSA-AES128-GCM-SHA256");
+          ciphers.push_back("ECDHE-RSA-AES256-SHA384");
+          ciphers.push_back("ECDHE-RSA-AES128-SHA256");
+          ciphers.push_back("ECDHE-RSA-AES128-SHA");
+          ciphers.push_back("ECDHE-RSA-AES256-SHA");
+          ciphers.push_back("DHE-RSA-AES256-SHA");
+          ciphers.push_back("DHE-RSA-AES128-SHA");
+          ciphers.push_back("AES256-SHA");
+          ciphers.push_back("AES128-SHA");
         }
-        defaultCipherString.pop_back();
-
-        std::string ciphersAccepted = lock.GetConfiguration().GetStringParameter("SslCiphersAccepted", defaultCipherString); 
-        httpServer.SetSslCiphers(ciphersAccepted);
+        
+        httpServer.SetSslCiphers(ciphers);
       }
       else
       {