# HG changeset patch
# User Andrew Wallis <andrew.wallis@varian.com>>
# Date 1607705950 18000
# Node ID df313e410f0cd7a99c3cc799400a1da12efcc46a
# Parent  85b5b0e1bac9945b9bf9d08ac41681a275f57ffd
Add support to configure minimimum accepted TLS version and cipher suite

diff -r 85b5b0e1bac9 -r df313e410f0c OrthancFramework/Sources/HttpServer/HttpServer.cpp
--- a/OrthancFramework/Sources/HttpServer/HttpServer.cpp	Thu Dec 17 12:48:14 2020 +0100
+++ b/OrthancFramework/Sources/HttpServer/HttpServer.cpp	Fri Dec 11 11:59:10 2020 -0500
@@ -1631,9 +1631,16 @@
         options.push_back("ssl_ca_file");
         options.push_back(trustedClientCertificates_.c_str());
       }
-
       if (ssl_)
       {
+        // Restrict minimum SSL/TLS protocol version
+        options.push_back("ssl_protocol_version");
+        options.push_back(sslMinimumVersion_.c_str());
+
+        // Set the accepted ciphers list
+        options.push_back("ssl_cipher_list");
+        options.push_back(sslCiphers_.c_str());
+
         // Set the SSL certificate, if any
         options.push_back("ssl_certificate");
         options.push_back(certificate_.c_str());
@@ -1783,6 +1790,18 @@
 #endif
   }
 
+  void HttpServer::SetSslMinimumVersion(std::string version)
+  {
+    Stop();
+    sslMinimumVersion_ = std::move(version);
+  }
+
+  void HttpServer::SetSslCiphers(std::string ciphers)
+  {
+    Stop();
+    sslCiphers_ = std::move(ciphers);
+  }
+
   void HttpServer::SetKeepAliveEnabled(bool enabled)
   {
     Stop();
diff -r 85b5b0e1bac9 -r df313e410f0c OrthancFramework/Sources/HttpServer/HttpServer.h
--- a/OrthancFramework/Sources/HttpServer/HttpServer.h	Thu Dec 17 12:48:14 2020 +0100
+++ b/OrthancFramework/Sources/HttpServer/HttpServer.h	Fri Dec 11 11:59:10 2020 -0500
@@ -97,6 +97,8 @@
     std::string trustedClientCertificates_;
     bool ssl_;
     std::string certificate_;
+    std::string sslMinimumVersion_;
+    std::string sslCiphers_;
     uint16_t port_;
     IIncomingHttpRequestFilter* filter_;
     bool keepAlive_;
@@ -141,6 +143,12 @@
 
     void SetSslVerifyPeers(bool enabled);
 
+    // set the minimum accepted version of SSL/TLS protocol according to the CivetWeb table published here:
+    // https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md#ssl_protocol_version-0
+    void SetSslMinimumVersion(std::string version);
+
+    void SetSslCiphers(std::string ciphers);
+    
     void SetSslTrustedClientCertificates(const char* path);
 
     bool IsKeepAliveEnabled() const;
diff -r 85b5b0e1bac9 -r df313e410f0c OrthancServer/Resources/Configuration.json
--- a/OrthancServer/Resources/Configuration.json	Thu Dec 17 12:48:14 2020 +0100
+++ b/OrthancServer/Resources/Configuration.json	Fri Dec 11 11:59:10 2020 -0500
@@ -170,6 +170,22 @@
   // if "SslEnabled" is true.
   "SslCertificate" : "certificate.pem",
 
+  // Sets the minimum accepted SSL protocol version
+  // See https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md 
+  // "ssl_protocol_version" for mapping
+  // By default require SSL 1.2
+  // This option is only meaningful if "SslEnabled" is true.
+  /**
+    "SslMinimumProtocolVersion" : "4",
+  **/
+
+  // Set the allowed ciphers for SSL connections
+  // If not set, this will default to FIPS 140-2 ciphers
+  // This option is only meaningful if "SslEnabled" is true.
+  /**
+    "SslCiphersAccepted" : "",
+  **/
+
   // Whether or not peer client certificates shall be checked. This
   // option is only meaningful if "SslEnabled" is true.
   "SslVerifyPeers" : false,
diff -r 85b5b0e1bac9 -r df313e410f0c OrthancServer/Sources/main.cpp
--- a/OrthancServer/Sources/main.cpp	Thu Dec 17 12:48:14 2020 +0100
+++ b/OrthancServer/Sources/main.cpp	Fri Dec 11 11:59:10 2020 -0500
@@ -1043,6 +1043,38 @@
           lock.GetConfiguration().GetStringParameter("SslCertificate", "certificate.pem"));
         httpServer.SetSslEnabled(true);
         httpServer.SetSslCertificate(certificate.c_str());
+        
+        // Default to TLS 1.2 as SSL minimum
+        // See https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md "ssl_protocol_version" for mapping
+        std::string tls1_2 = "4";
+        std::string minimumVersion = lock.GetConfiguration().GetStringParameter("SslMinimumProtocolVersion", tls1_2);
+        httpServer.SetSslMinimumVersion(minimumVersion);
+
+        // Default to FIPS 140-2 ciphers 
+        const std::vector<std::string> fipsCiphers = { 
+          "ECDHE-ECDSA-AES256-GCM-SHA384", 
+          "ECDHE-ECDSA-AES256-SHA384",
+          "ECDHE-RSA-AES256-GCM-SHA384", 
+          "ECDHE-RSA-AES128-GCM-SHA256", 
+          "ECDHE-RSA-AES256-SHA384",
+          "ECDHE-RSA-AES128-SHA256", 
+          "ECDHE-RSA-AES128-SHA", 
+          "ECDHE-RSA-AES256-SHA", 
+          "DHE-RSA-AES256-SHA",
+          "DHE-RSA-AES128-SHA", 
+          "AES256-SHA",
+          "AES128-SHA"};
+
+        // Format default cipher string
+        std::string defaultCipherString;
+        for (const auto &cipher : fipsCiphers)
+        {
+          defaultCipherString += cipher + ":";
+        }
+        defaultCipherString.pop_back();
+
+        std::string ciphersAccepted = lock.GetConfiguration().GetStringParameter("SslCiphersAccepted", defaultCipherString); 
+        httpServer.SetSslCiphers(ciphersAccepted);
       }
       else
       {