2 * Copyright 2004-present Facebook, Inc.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
19 #include <folly/container/Array.h>
20 #include <folly/io/async/SSLContext.h>
25 namespace ssl_options_detail {
26 void logDfatal(std::exception const&);
27 } // namespace ssl_options_detail
29 struct SSLCommonOptions {
31 * The cipher list recommended for this options configuration.
33 static constexpr auto kCipherList = folly::make_array(
34 "ECDHE-ECDSA-AES128-GCM-SHA256",
35 "ECDHE-RSA-AES128-GCM-SHA256",
36 "ECDHE-ECDSA-AES256-GCM-SHA384",
37 "ECDHE-RSA-AES256-GCM-SHA384",
38 "ECDHE-ECDSA-AES256-SHA",
39 "ECDHE-RSA-AES256-SHA",
40 "ECDHE-ECDSA-AES128-SHA",
41 "ECDHE-RSA-AES128-SHA",
42 "ECDHE-RSA-AES256-SHA384",
48 * The list of signature algorithms recommended for this options
51 static constexpr auto kSignatureAlgorithms = folly::make_array(
62 * Set common parameters on a client SSL context, for example,
63 * ciphers, signature algorithms, verification options, and client EC curves.
64 * @param ctx The SSL Context to which to apply the options.
66 static void setClientOptions(SSLContext& ctx);
70 * Recommended SSL options for server-side scenario.
72 struct SSLServerOptions {
74 * The list of ciphers recommended for server use.
76 static constexpr auto kCipherList = folly::make_array(
77 "ECDHE-ECDSA-AES128-GCM-SHA256",
78 "ECDHE-ECDSA-AES256-GCM-SHA384",
79 "ECDHE-ECDSA-AES128-SHA",
80 "ECDHE-ECDSA-AES256-SHA",
81 "ECDHE-RSA-AES128-GCM-SHA256",
82 "ECDHE-RSA-AES256-GCM-SHA384",
83 "ECDHE-RSA-AES128-SHA",
84 "ECDHE-RSA-AES256-SHA",
92 * Set the cipher suite of ctx to that in TSSLOptions, and print any runtime
94 * @param ctx The SSLContext to apply the desired SSL options to.
96 template <typename TSSLOptions>
97 void setCipherSuites(SSLContext& ctx) {
99 ctx.setCipherList(TSSLOptions::kCipherList);
100 } catch (std::runtime_error const& e) {
101 ssl_options_detail::logDfatal(e);
106 * Set the signature algorithm list of ctx to that in TSSLOptions, and print
107 * any runtime errors it catche.
108 * @param ctx The SSLContext to apply the desired SSL options to.
110 template <typename TSSLOptions>
111 void setSignatureAlgorithms(SSLContext& ctx) {
113 ctx.setSignatureAlgorithms(TSSLOptions::kSignatureAlgorithms);
114 } catch (std::runtime_error const& e) {
115 ssl_options_detail::logDfatal(e);