Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / aad51a1b27977771dbf9b83915afddd08559ee8f^! / .
commitaad51a1b27977771dbf9b83915afddd08559ee8f[log] [tgz]
authorEd Tanous <ed@tanous.net>Tue May 21 09:44:58 2024 -0700
committerEd Tanous <ed@tanous.net>Tue Jul 30 18:33:39 2024 +0000
tree48d25be4c8957f5263f4c7711c4b43c7ed89b395
parent7f23576aa57522bbc6d123766d643ca374e9d525 [diff]
Update client ciphers to mozilla intermediate

Our client cipher suites are out of date with what mozilla recommends.
Update them to the latest.

https://ssl-config.mozilla.org/guidelines/5.7.json

Functionally, this only removes the two remaining AES cipher suites.
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384

And replaces
TLS_CHACHA20_POLY1305_SHA256
with
DHE-RSA-CHACHA20-POLY1305

Functionally this should have no impact on any system.

Change-Id: I7680b06ea34c2a3c0bfd747aa3c3500c0f30151e
Signed-off-by: Ed Tanous <ed@tanous.net>

diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp
index e523392..5c27655 100644
--- a/include/ssl_key_handler.hpp
+++ b/include/ssl_key_handler.hpp

@@ -619,10 +619,8 @@
                                        "ECDHE-ECDSA-CHACHA20-POLY1305:"
                                        "ECDHE-RSA-CHACHA20-POLY1305:"
                                        "DHE-RSA-AES128-GCM-SHA256:"
-                                       "DHE-RSA-AES256-GCM-SHA384"
-                                       "TLS_AES_128_GCM_SHA256:"
-                                       "TLS_AES_256_GCM_SHA384:"
-                                       "TLS_CHACHA20_POLY1305_SHA256";
+                                       "DHE-RSA-AES256-GCM-SHA384:"
+                                       "DHE-RSA-CHACHA20-POLY1305";
 
     if (SSL_CTX_set_cipher_list(sslCtx.native_handle(), sslCiphers) != 1)
     {