Recommended cipher list for server side.

author Xiangyu Bu <xbu@fb.com>

Fri, 18 Aug 2017 23:59:18 +0000 (16:59 -0700)

committer Facebook Github Bot <facebook-github-bot@users.noreply.github.com>

Sat, 19 Aug 2017 00:04:42 +0000 (17:04 -0700)
author Xiangyu Bu <xbu@fb.com>
Fri, 18 Aug 2017 23:59:18 +0000 (16:59 -0700)
committer Facebook Github Bot <facebook-github-bot@users.noreply.github.com>
Sat, 19 Aug 2017 00:04:42 +0000 (17:04 -0700)
diff --git a/folly/io/async/SSLOptions.cpp b/folly/io/async/SSLOptions.cpp

index 32f3ccb68f95e94031b3a6b5f411939470863626..8cd974376c4da1b1d2f383467a6b8b7d8494218d 100644 (file)
--- a/folly/io/async/SSLOptions.cpp
+++ b/folly/io/async/SSLOptions.cpp
@@ -29,6 +29,7 @@ void logDfatal(std::exception const& e) {
  
  constexpr std::array<const char*, 12> SSLCommonOptions::kCipherList;
  constexpr std::array<const char*, 8> SSLCommonOptions::kSignatureAlgorithms;
  
  constexpr std::array<const char*, 12> SSLCommonOptions::kCipherList;
  constexpr std::array<const char*, 8> SSLCommonOptions::kSignatureAlgorithms;
+constexpr std::array<const char*, 12> SSLServerOptions::kCipherList;
  
  void SSLCommonOptions::setClientOptions(SSLContext& ctx) {
  #ifdef SSL_MODE_HANDSHAKE_CUTTHROUGH
  
  void SSLCommonOptions::setClientOptions(SSLContext& ctx) {
  #ifdef SSL_MODE_HANDSHAKE_CUTTHROUGH
diff --git a/folly/io/async/SSLOptions.h b/folly/io/async/SSLOptions.h

index 94dc8ed188f4968f0d35e84546d96940a72fb434..233c3622cd0a13f9f0633c171623ae2cb542b1dd 100644 (file)
--- a/folly/io/async/SSLOptions.h
+++ b/folly/io/async/SSLOptions.h
@@ -66,6 +66,28 @@ struct SSLCommonOptions {
    static void setClientOptions(SSLContext& ctx);
  };
  
    static void setClientOptions(SSLContext& ctx);
  };
  
+/**
+ * Recommended SSL options for server-side scenario.
+ */
+struct SSLServerOptions {
+  /**
+   * The list of ciphers recommended for server use.
+   */
+  static constexpr auto kCipherList = folly::make_array(
+      "ECDHE-ECDSA-AES128-GCM-SHA256",
+      "ECDHE-ECDSA-AES256-GCM-SHA384",
+      "ECDHE-ECDSA-AES128-SHA",
+      "ECDHE-ECDSA-AES256-SHA",
+      "ECDHE-RSA-AES128-GCM-SHA256",
+      "ECDHE-RSA-AES256-GCM-SHA384",
+      "ECDHE-RSA-AES128-SHA",
+      "ECDHE-RSA-AES256-SHA",
+      "AES128-GCM-SHA256",
+      "AES256-GCM-SHA384",
+      "AES128-SHA",
+      "AES256-SHA");
+};
+
  /**
   * Set the cipher suite of ctx to that in TSSLOptions, and print any runtime
   * error it catches.
  /**
   * Set the cipher suite of ctx to that in TSSLOptions, and print any runtime
   * error it catches.
author	Xiangyu Bu <xbu@fb.com>
	Fri, 18 Aug 2017 23:59:18 +0000 (16:59 -0700)
committer	Facebook Github Bot <facebook-github-bot@users.noreply.github.com>
	Sat, 19 Aug 2017 00:04:42 +0000 (17:04 -0700)
folly/io/async/SSLOptions.cpp		patch \| blob \| history
folly/io/async/SSLOptions.h		patch \| blob \| history