diff options
| author | Leorize <leorize+oss@disroot.org> | 2020-06-03 17:02:18 -0500 |
|---|---|---|
| committer | Andreas Rumpf <rumpf_a@web.de> | 2020-06-06 21:11:53 +0200 |
| commit | 1fb2a58674dd8136b246c7499cd295e85484d8c3 (patch) | |
| tree | 4361bf2c3a6b815870ffe53325fb895dc92fe18f /lib/pure/net.nim | |
| parent | 6cb94b5da6ac409915cc0ca3f50c50214edee0ef (diff) | |
| download | Nim-1fb2a58674dd8136b246c7499cd295e85484d8c3.tar.gz | |
net: use a secure cipher list by default
Previously, the `net` module use the blanket "ALL" as the default cipher list. This list may contain security ciphers that are weak and/or outdated according to the current standard. This commit introduces a new module `ssl_config` that contains the latest OpenSSL configurations as recommended by Mozilla OpSec, and make the `net` module use the cipher list targeting `intermediate` compatibility level as the default.
Diffstat (limited to 'lib/pure/net.nim')
| -rw-r--r-- | lib/pure/net.nim | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/pure/net.nim b/lib/pure/net.nim index af66c3a15..a5643330e 100644 --- a/lib/pure/net.nim +++ b/lib/pure/net.nim @@ -68,6 +68,7 @@ import std/private/since import nativesockets, os, strutils, times, sets, options, std/monotimes from ssl_certs import scanSSLCertificates +import ssl_config export nativesockets.Port, nativesockets.`$`, nativesockets.`==` export Domain, SockType, Protocol @@ -533,7 +534,7 @@ when defineSsl: raiseSSLError("Verification of private key file failed.") proc newContext*(protVersion = protSSLv23, verifyMode = CVerifyPeer, - certFile = "", keyFile = "", cipherList = "ALL", + certFile = "", keyFile = "", cipherList = CiphersIntermediate, caDir = "", caFile = ""): SSLContext = ## Creates an SSL context. ## |