commit d3e9c3a24a804d159b473002dfc99eb86ac3cd91
author Ed Tanous <etanous@nvidia.com> Tue May 21 10:02:05 2024 -0700
committer Ed Tanous <ed@tanous.net> Tue Jul 30 18:33:39 2024 +0000
tree c142611da4adf3d43e5d8f6f48525a1b28b0df13
parent aad51a1b27977771dbf9b83915afddd08559ee8f

Combine cipher suite lists

It's better to not have to update this in two places.

Tested: Inspection only.

Change-Id: I5c81e50806fe71dd251c22132d93ecbc55fc3865
Signed-off-by: Ed Tanous <etanous@nvidia.com>

include/ssl_key_handler.hpp

diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp
index 5c27655..30a037c 100644
--- a/include/ssl_key_handler.hpp
+++ b/include/ssl_key_handler.hpp
@@ -37,6 +37,18 @@
 constexpr const char* x509Comment = "Generated from OpenBMC service";
 static EVP_PKEY* createEcKey();
 
+// Mozilla intermediate cipher suites v5.7
+// Sourced from: https://ssl-config.mozilla.org/guidelines/5.7.json
+constexpr const char* mozillaIntermediate = "ECDHE-ECDSA-AES128-GCM-SHA256:"
+                                            "ECDHE-RSA-AES128-GCM-SHA256:"
+                                            "ECDHE-ECDSA-AES256-GCM-SHA384:"
+                                            "ECDHE-RSA-AES256-GCM-SHA384:"
+                                            "ECDHE-ECDSA-CHACHA20-POLY1305:"
+                                            "ECDHE-RSA-CHACHA20-POLY1305:"
+                                            "DHE-RSA-AES128-GCM-SHA256:"
+                                            "DHE-RSA-AES256-GCM-SHA384:"
+                                            "DHE-RSA-CHACHA20-POLY1305";
+
 // Trust chain related errors.`
 inline bool isTrustChainError(int errnum)
 {
@@ -498,21 +510,9 @@
     // There is a pull request to add this.  Once this is included in an asio
     // drop, use the right way
     // http://stackoverflow.com/questions/18929049/boost-asio-with-ecdsa-certificate-issue
-    if (SSL_CTX_set_ecdh_auto(mSslContext->native_handle(), 1) != 1)
+    if (SSL_CTX_set_ecdh_auto(mSslContext.native_handle(), 1) != 1)
     {}
 
-    // Mozilla intermediate cipher suites v5.7
-    // Sourced from: https://ssl-config.mozilla.org/guidelines/5.7.json
-    const char* mozillaIntermediate = "ECDHE-ECDSA-AES128-GCM-SHA256:"
-                                      "ECDHE-RSA-AES128-GCM-SHA256:"
-                                      "ECDHE-ECDSA-AES256-GCM-SHA384:"
-                                      "ECDHE-RSA-AES256-GCM-SHA384:"
-                                      "ECDHE-ECDSA-CHACHA20-POLY1305:"
-                                      "ECDHE-RSA-CHACHA20-POLY1305:"
-                                      "DHE-RSA-AES128-GCM-SHA256:"
-                                      "DHE-RSA-AES256-GCM-SHA384:"
-                                      "DHE-RSA-CHACHA20-POLY1305";
-
     if (SSL_CTX_set_cipher_list(mSslContext.native_handle(),
                                 mozillaIntermediate) != 1)
     {
@@ -610,19 +610,8 @@
         return std::nullopt;
     }
 
-    // All cipher suites are set as per OWASP datasheet.
-    // https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html
-    constexpr const char* sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:"
-                                       "ECDHE-RSA-AES128-GCM-SHA256:"
-                                       "ECDHE-ECDSA-AES256-GCM-SHA384:"
-                                       "ECDHE-RSA-AES256-GCM-SHA384:"
-                                       "ECDHE-ECDSA-CHACHA20-POLY1305:"
-                                       "ECDHE-RSA-CHACHA20-POLY1305:"
-                                       "DHE-RSA-AES128-GCM-SHA256:"
-                                       "DHE-RSA-AES256-GCM-SHA384:"
-                                       "DHE-RSA-CHACHA20-POLY1305";
-
-    if (SSL_CTX_set_cipher_list(sslCtx.native_handle(), sslCiphers) != 1)
+    if (SSL_CTX_set_cipher_list(sslCtx.native_handle(), mozillaIntermediate) !=
+        1)
     {
         BMCWEB_LOG_ERROR("SSL_CTX_set_cipher_list failed");
         return std::nullopt;