From 84ed46d4c1caaa4ec79a6223c35785afcf1c9d53 Mon Sep 17 00:00:00 2001
From: Alexander Barton <alex@barton.de>
Date: Sun, 15 Sep 2013 15:09:36 +0200
Subject: Cipher list selection for OpenSSL

This patch introduces the possibility to arbitrarily select ciphers which
should be promoted resp. declined when establishing a SSL connection
with a client by implementing the new configuration option "CipherList".

By default, OpenSSL would accept low and medium strength and RC-4 ciphers,
which nowadays are known to be broken.

This patch only implements the feature for OpenSSL. A GnuTLS counterpart
has to be implemented in another patch ...

Original patch by Bastian <bastian-ngircd@t6l.de>.

Closes bug #162.
---
 doc/sample-ngircd.conf.tmpl | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'doc')

diff --git a/doc/sample-ngircd.conf.tmpl b/doc/sample-ngircd.conf.tmpl
index ae1b2139..a4dbf869 100644
--- a/doc/sample-ngircd.conf.tmpl
+++ b/doc/sample-ngircd.conf.tmpl
@@ -248,6 +248,13 @@
 	# SSL Server Key Certificate
 	;CertFile = :ETCDIR:/ssl/server-cert.pem
 
+	# Select cipher suites allowed for SSL/TLS connections (OpenSSL only).
+	# This defaults to the empty string, so all supported ciphers are
+	# allowed. Please see 'man 1ssl ciphers' for details.
+	# The example below only allows "high strength" cipher suites, disables
+	# the ones without authentication, and sorts by strength:
+	;CipherList = HIGH:!aNULL:@STRENGTH
+
 	# Diffie-Hellman parameters
 	;DHFile = :ETCDIR:/ssl/dhparams.pem
 
-- 
cgit 1.4.1