folly/io/async/SSLOptions.cpp

   1 /*
   2  * Copyright 2004-present Facebook, Inc.
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *   http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 #include "SSLOptions.h"
  18
  19 namespace folly {
  20 namespace ssl {
  21
  22 const std::vector<std::string>& SSLCommonOptions::getCipherList() {
  23   static const std::vector<std::string> kCommonCipherList = {
  24       "ECDHE-ECDSA-AES128-GCM-SHA256",
  25       "ECDHE-RSA-AES128-GCM-SHA256",
  26       "ECDHE-ECDSA-AES256-GCM-SHA384",
  27       "ECDHE-RSA-AES256-GCM-SHA384",
  28       "ECDHE-ECDSA-AES256-SHA",
  29       "ECDHE-RSA-AES256-SHA",
  30       "ECDHE-ECDSA-AES128-SHA",
  31       "ECDHE-RSA-AES128-SHA",
  32       "ECDHE-RSA-AES256-SHA384",
  33       "AES128-GCM-SHA256",
  34       "AES256-SHA",
  35       "AES128-SHA",
  36   };
  37   return kCommonCipherList;
  38 }
  39
  40 const std::vector<std::string>& SSLCommonOptions::getSignatureAlgorithms() {
  41   static const std::vector<std::string> kCommonSigAlgs = {
  42       "RSA+SHA512",
  43       "ECDSA+SHA512",
  44       "RSA+SHA384",
  45       "ECDSA+SHA384",
  46       "RSA+SHA256",
  47       "ECDSA+SHA256",
  48       "RSA+SHA1",
  49       "ECDSA+SHA1",
  50   };
  51   return kCommonSigAlgs;
  52 }
  53
  54 void SSLCommonOptions::setClientOptions(SSLContext& ctx) {
  55 #ifdef SSL_MODE_HANDSHAKE_CUTTHROUGH
  56   ctx.enableFalseStart();
  57 #endif
  58
  59   X509VerifyParam param(X509_VERIFY_PARAM_new());
  60   X509_VERIFY_PARAM_set_flags(param.get(), X509_V_FLAG_X509_STRICT);
  61   try {
  62     ctx.setX509VerifyParam(param);
  63   } catch (std::runtime_error const& e) {
  64     LOG(DFATAL) << exceptionStr(e);
  65   }
  66
  67   try {
  68     ctx.setClientECCurvesList({"P-256", "P-384"});
  69   } catch (std::runtime_error const& e) {
  70     LOG(DFATAL) << exceptionStr(e);
  71   }
  72
  73   setCipherSuites<SSLCommonOptions>(ctx);
  74   setSignatureAlgorithms<SSLCommonOptions>(ctx);
  75 }
  76
  77 } // namespace ssl
  78 } // namespace folly