From: Xiangyu Bu Date: Fri, 18 Aug 2017 23:59:18 +0000 (-0700) Subject: Recommended cipher list for server side. X-Git-Tag: v2017.08.21.00^0 X-Git-Url: http://plrg.eecs.uci.edu/git/?p=folly.git;a=commitdiff_plain;h=f2ddd0ef782086145006f3c623ab4d3740e5ced8 Recommended cipher list for server side. Summary: A SSLOptions recommended for cipher use. Reviewed By: yfeldblum Differential Revision: D5614280 fbshipit-source-id: a6b1adfa8d168f35c7bc7d4088c4073c3f4084a5 --- diff --git a/folly/io/async/SSLOptions.cpp b/folly/io/async/SSLOptions.cpp index 32f3ccb6..8cd97437 100644 --- a/folly/io/async/SSLOptions.cpp +++ b/folly/io/async/SSLOptions.cpp @@ -29,6 +29,7 @@ void logDfatal(std::exception const& e) { constexpr std::array SSLCommonOptions::kCipherList; constexpr std::array SSLCommonOptions::kSignatureAlgorithms; +constexpr std::array SSLServerOptions::kCipherList; void SSLCommonOptions::setClientOptions(SSLContext& ctx) { #ifdef SSL_MODE_HANDSHAKE_CUTTHROUGH diff --git a/folly/io/async/SSLOptions.h b/folly/io/async/SSLOptions.h index 94dc8ed1..233c3622 100644 --- a/folly/io/async/SSLOptions.h +++ b/folly/io/async/SSLOptions.h @@ -66,6 +66,28 @@ struct SSLCommonOptions { static void setClientOptions(SSLContext& ctx); }; +/** + * Recommended SSL options for server-side scenario. + */ +struct SSLServerOptions { + /** + * The list of ciphers recommended for server use. + */ + static constexpr auto kCipherList = folly::make_array( + "ECDHE-ECDSA-AES128-GCM-SHA256", + "ECDHE-ECDSA-AES256-GCM-SHA384", + "ECDHE-ECDSA-AES128-SHA", + "ECDHE-ECDSA-AES256-SHA", + "ECDHE-RSA-AES128-GCM-SHA256", + "ECDHE-RSA-AES256-GCM-SHA384", + "ECDHE-RSA-AES128-SHA", + "ECDHE-RSA-AES256-SHA", + "AES128-GCM-SHA256", + "AES256-GCM-SHA384", + "AES128-SHA", + "AES256-SHA"); +}; + /** * Set the cipher suite of ctx to that in TSSLOptions, and print any runtime * error it catches.