Recommended cipher list for server side.

Summary: A SSLOptions recommended for cipher use.

Reviewed By: yfeldblum

Differential Revision: D5614280

fbshipit-source-id: a6b1adfa8d168f35c7bc7d4088c4073c3f4084a5

diff --git a/folly/io/async/SSLOptions.cpp b/folly/io/async/SSLOptions.cpp
index 32f3ccb68f95e94031b3a6b5f411939470863626..8cd974376c4da1b1d2f383467a6b8b7d8494218d 100644 (file)
--- a/folly/io/async/SSLOptions.cpp
+++ b/folly/io/async/SSLOptions.cpp
@@ -29,6 +29,7 @@ void logDfatal(std::exception const& e) {
 
 constexpr std::array<const char*, 12> SSLCommonOptions::kCipherList;
 constexpr std::array<const char*, 8> SSLCommonOptions::kSignatureAlgorithms;
+constexpr std::array<const char*, 12> SSLServerOptions::kCipherList;
 
 void SSLCommonOptions::setClientOptions(SSLContext& ctx) {
 #ifdef SSL_MODE_HANDSHAKE_CUTTHROUGH

diff --git a/folly/io/async/SSLOptions.h b/folly/io/async/SSLOptions.h
index 94dc8ed188f4968f0d35e84546d96940a72fb434..233c3622cd0a13f9f0633c171623ae2cb542b1dd 100644 (file)
--- a/folly/io/async/SSLOptions.h
+++ b/folly/io/async/SSLOptions.h
@@ -66,6 +66,28 @@ struct SSLCommonOptions {
   static void setClientOptions(SSLContext& ctx);
 };
 
+/**
+ * Recommended SSL options for server-side scenario.
+ */
+struct SSLServerOptions {
+  /**
+   * The list of ciphers recommended for server use.
+   */
+  static constexpr auto kCipherList = folly::make_array(
+      "ECDHE-ECDSA-AES128-GCM-SHA256",
+      "ECDHE-ECDSA-AES256-GCM-SHA384",
+      "ECDHE-ECDSA-AES128-SHA",
+      "ECDHE-ECDSA-AES256-SHA",
+      "ECDHE-RSA-AES128-GCM-SHA256",
+      "ECDHE-RSA-AES256-GCM-SHA384",
+      "ECDHE-RSA-AES128-SHA",
+      "ECDHE-RSA-AES256-SHA",
+      "AES128-GCM-SHA256",
+      "AES256-GCM-SHA384",
+      "AES128-SHA",
+      "AES256-SHA");
+};
+
 /**
  * Set the cipher suite of ctx to that in TSSLOptions, and print any runtime
  * error it catches.