--- /dev/null
+/*
+ * Copyright 2004-present Facebook, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "SSLOptions.h"
+
+namespace folly {
+namespace ssl {
+
+const std::vector<std::string>& SSLCommonOptions::getCipherList() {
+ static const std::vector<std::string> kCommonCipherList = {
+ "ECDHE-ECDSA-AES128-GCM-SHA256",
+ "ECDHE-RSA-AES128-GCM-SHA256",
+ "ECDHE-ECDSA-AES256-GCM-SHA384",
+ "ECDHE-RSA-AES256-GCM-SHA384",
+ "ECDHE-ECDSA-AES256-SHA",
+ "ECDHE-RSA-AES256-SHA",
+ "ECDHE-ECDSA-AES128-SHA",
+ "ECDHE-RSA-AES128-SHA",
+ "ECDHE-RSA-AES256-SHA384",
+ "AES128-GCM-SHA256",
+ "AES256-SHA",
+ "AES128-SHA",
+ };
+ return kCommonCipherList;
+}
+
+const std::vector<std::string>& SSLCommonOptions::getSignatureAlgorithms() {
+ static const std::vector<std::string> kCommonSigAlgs = {
+ "RSA+SHA512",
+ "ECDSA+SHA512",
+ "RSA+SHA384",
+ "ECDSA+SHA384",
+ "RSA+SHA256",
+ "ECDSA+SHA256",
+ "RSA+SHA1",
+ "ECDSA+SHA1",
+ };
+ return kCommonSigAlgs;
+}
+
+void SSLCommonOptions::setClientOptions(SSLContext& ctx) {
+#ifdef SSL_MODE_HANDSHAKE_CUTTHROUGH
+ ctx.enableFalseStart();
+#endif
+
+ X509VerifyParam param(X509_VERIFY_PARAM_new());
+ X509_VERIFY_PARAM_set_flags(param.get(), X509_V_FLAG_X509_STRICT);
+ try {
+ ctx.setX509VerifyParam(param);
+ } catch (std::runtime_error const& e) {
+ LOG(DFATAL) << exceptionStr(e);
+ }
+
+ try {
+ ctx.setClientECCurvesList({"P-256", "P-384"});
+ } catch (std::runtime_error const& e) {
+ LOG(DFATAL) << exceptionStr(e);
+ }
+
+ setCipherSuites<SSLCommonOptions>(ctx);
+ setSignatureAlgorithms<SSLCommonOptions>(ctx);
+}
+
+} // ssl
+} // folly
--- /dev/null
+/*
+ * Copyright 2004-present Facebook, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#include <folly/Format.h>
+#include <folly/io/async/SSLContext.h>
+
+#include <glog/logging.h>
+
+namespace folly {
+namespace ssl {
+
+struct SSLCommonOptions {
+ /**
+ * Return the cipher list recommended for this options configuration.
+ */
+ static const std::vector<std::string>& getCipherList();
+
+ /**
+ * Return the list of signature algorithms recommended for this options
+ * configuration.
+ */
+ static const std::vector<std::string>& getSignatureAlgorithms();
+
+ /**
+ * Set common parameters on a client SSL context, for example,
+ * ciphers, signature algorithms, verification options, and client EC curves.
+ * @param ctx The SSL Context to which to apply the options.
+ */
+ static void setClientOptions(SSLContext& ctx);
+};
+
+template <typename TSSLOptions>
+void setCipherSuites(SSLContext& ctx) {
+ try {
+ ctx.setCipherList(TSSLOptions::getCipherList());
+ } catch (std::runtime_error const& e) {
+ LOG(DFATAL) << exceptionStr(e);
+ }
+}
+
+template <typename TSSLOptions>
+void setSignatureAlgorithms(SSLContext& ctx) {
+ try {
+ ctx.setSignatureAlgorithms(TSSLOptions::getSignatureAlgorithms());
+ } catch (std::runtime_error const& e) {
+ LOG(DFATAL) << exceptionStr(e);
+ }
+}
+
+} // ssl
+} // folly
--- /dev/null
+/*
+ * Copyright 2004-present Facebook, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <folly/io/async/SSLContext.h>
+#include <folly/io/async/SSLOptions.h>
+#include <folly/portability/GTest.h>
+#include <folly/ssl/OpenSSLPtrTypes.h>
+
+using namespace std;
+using namespace testing;
+
+namespace folly {
+
+class SSLOptionsTest : public testing::Test {};
+
+void verifySSLCipherList(SSLContext& ctx, const vector<string>& ciphers) {
+ int i = 0;
+ ssl::SSLUniquePtr ssl(ctx.createSSL());
+ for (auto& cipher : ciphers) {
+ ASSERT_STREQ(cipher.c_str(), SSL_get_cipher_list(ssl.get(), i++));
+ }
+ ASSERT_EQ(nullptr, SSL_get_cipher_list(ssl.get(), i));
+}
+
+TEST_F(SSLOptionsTest, TestSetCommonCipherList) {
+ SSLContext ctx;
+ ssl::setCipherSuites<ssl::SSLCommonOptions>(ctx);
+ verifySSLCipherList(ctx, ssl::SSLCommonOptions::getCipherList());
+}
+}
projects / folly.git / commitdiff