Merge pull request #48 from xiewei20082008/feature/cc/ccm

CP-29015: Set correct ciphers for stunnel client
xapi-project · Sep 5, 2018 · 40e80ce · 40e80ce
2 parents a9fb48b + 30d852c
commit 40e80ce
Showing 1 changed file with 32 additions and 30 deletions.
diff --git a/stunnel/stunnel.ml b/stunnel/stunnel.ml
@@ -43,7 +43,7 @@ let legacy_protocol_and_ciphersuites_allowed = ref false
 let is_legacy_protocol_and_ciphersuites_allowed () =
   !legacy_protocol_and_ciphersuites_allowed
 
-let good_ciphersuites = ref (Some "!EXPORT:RSA+AES128-SHA256")
+let good_ciphersuites = ref (Some "!EXPORT:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:AES256-SHA256:RSA+AES128-SHA256:AES128-SHA")
 let legacy_ciphersuites = ref "RSA+AES256-SHA:RSA+AES128-SHA:RSA+RC4-SHA:RSA+DES-CBC3-SHA"
 
 let init_stunnel_path () =
@@ -139,36 +139,38 @@ let config_file verify_cert extended_diagnosis host port legacy =
     | None -> raise (Stunnel_error "good_ciphersuites is unset in the OCaml Stunnel module.")
     | Some s -> s
   in
-
-  let lines = [
-    "client=yes"; "foreground=yes"; "socket = r:TCP_NODELAY=1"; "socket = r:SO_KEEPALIVE=1"; "socket = a:SO_KEEPALIVE=1";
-    (match !timeoutidle with None -> "" | Some x -> Printf.sprintf "TIMEOUTidle = %d" x);
-    Printf.sprintf "connect=%s:%d" host port;
-    "fips = no"; (* stunnel fips-mode stops us using sslVersion other than TLSv1 which means 1.0 only. *)
-  ] @	(if extended_diagnosis then
-         ["debug=4"]
-       else
-         []
-      ) @ (
-      if verify_cert then
-        ["verify=2";
-         sprintf "CApath=%s" certificate_path;
-         sprintf "CRLpath=%s" crl_path]
-      else
-        []
-    ) @ (
-      if legacy then [
-        "sslVersion = all";
-        "options = NO_SSLv2";
-        "options = NO_SSLv3";
-        "ciphers = " ^ (good_ciphers ()) ^ (match !legacy_ciphersuites with "" -> "" | s -> (":" ^ s))
-      ] else [
-        "sslVersion = TLSv1.2";
-        "ciphers = " ^ (good_ciphers ());
+  String.concat "\n" @@ List.concat
+  [ [ "client=yes"
+    ; "foreground=yes"
+    ; "socket = r:TCP_NODELAY=1"
+    ; "socket = r:SO_KEEPALIVE=1"
+    ; "socket = a:SO_KEEPALIVE=1"
+    ; (match !timeoutidle with
+      None -> "" |
+      Some x -> Printf.sprintf "TIMEOUTidle = %d" x)
+    ; Printf.sprintf "connect=%s:%d" host port
+    ; "fips = no"; (* stunnel fips-mode stops us using sslVersion other than TLSv1 which means 1.0 only. *)
+    ]
+  ; if extended_diagnosis then ["debug=4"] else []
+  ; if verify_cert then
+      ["verify=2"
+      ; sprintf "CApath=%s" certificate_path
+      ; sprintf "CRLpath=%s" crl_path
       ]
-    )
-  in
-  String.concat "" (List.map (fun x -> x ^ "\n") lines)
+    else []
+  ; if legacy then
+      [ "sslVersion = all"
+      ; "options = NO_SSLv2"
+      ; "options = NO_SSLv3"
+      ; "ciphers = " ^ (good_ciphers ()) ^ (match !legacy_ciphersuites with "" -> "" | s -> (":" ^ s))
+      ]
+    else 
+      [ "sslVersion = TLSv1.2"
+      ; "ciphers = " ^ (good_ciphers ())
+      ]
+    ; ["curve = secp384r1"]
+    ; [""]
+  ]
 
 let set_legacy_protocol_and_ciphersuites_allowed b =
   legacy_protocol_and_ciphersuites_allowed := b;