Software / code / prosody
Changeset
7663:54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 12 Sep 2016 15:49:24 +0200 |
| parents | 7662:946871f6e3c8 |
| children | 7664:4f145a9f1477 |
| files | core/certmanager.lua |
| diffstat | 1 files changed, 10 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/core/certmanager.lua Mon Sep 12 15:01:16 2016 +0200 +++ b/core/certmanager.lua Mon Sep 12 15:49:24 2016 +0200 @@ -103,7 +103,16 @@ }; verifyext = { "lsec_continue", "lsec_ignore_purpose" }; curve = "secp384r1"; - ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL"; + ciphers = { -- Enabled ciphers in order of preference: + "HIGH+kEDH", -- Ephemeral Diffie-Hellman key exchange, if a 'dhparam' file is set + "HIGH+kEECDH", -- Ephemeral Elliptic curve Diffie-Hellman key exchange + "HIGH", -- Other "High strength" ciphers + -- Disabled cipher suites: + "!PSK", -- Pre-Shared Key - not used for XMPP + "!SRP", -- Secure Remote Password - not used for XMPP + "!3DES", -- 3DES - slow and of questionable security + "!aNULL", -- Ciphers that does not authenticate the connection + }; } local path_options = { -- These we pass through resolve_path() key = true, certificate = true, cafile = true, capath = true, dhparam = true
