From 84ed46d4c1caaa4ec79a6223c35785afcf1c9d53 Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Sun, 15 Sep 2013 15:09:36 +0200 Subject: Cipher list selection for OpenSSL This patch introduces the possibility to arbitrarily select ciphers which should be promoted resp. declined when establishing a SSL connection with a client by implementing the new configuration option "CipherList". By default, OpenSSL would accept low and medium strength and RC-4 ciphers, which nowadays are known to be broken. This patch only implements the feature for OpenSSL. A GnuTLS counterpart has to be implemented in another patch ... Original patch by Bastian . Closes bug #162. --- man/ngircd.conf.5.tmpl | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'man') diff --git a/man/ngircd.conf.5.tmpl b/man/ngircd.conf.5.tmpl index cf926f9a..263dec04 100644 --- a/man/ngircd.conf.5.tmpl +++ b/man/ngircd.conf.5.tmpl @@ -366,6 +366,13 @@ when it is compiled with support for SSL using OpenSSL or GnuTLS! \fBCertFile\fR (string) SSL Certificate file of the private server key. .TP +\fBCipherList\fR (string) +OpenSSL only: Select cipher suites allowed for SSL/TLS connections. This +defaults to the empty string, so all supported ciphers are allowed. Please see +'man 1ssl ciphers' for details. This setting allows only "high strength" cipher +suites, disables the ones without authentication, and sorts by strength, for +example: "HIGH:!aNULL:@STRENGTH". +.TP \fBDHFile\fR (string) Name of the Diffie-Hellman Parameter file. Can be created with GnuTLS "certtool \-\-generate-dh-params" or "openssl dhparam". If this file is not -- cgit 1.4.1