diff options
| -rw-r--r-- | lib/pure/net.nim | 7 | ||||
| -rw-r--r-- | lib/wrappers/openssl.nim | 5 |
2 files changed, 12 insertions, 0 deletions
diff --git a/lib/pure/net.nim b/lib/pure/net.nim index f628ee056..c1896dc1c 100644 --- a/lib/pure/net.nim +++ b/lib/pure/net.nim @@ -580,6 +580,13 @@ when defineSsl: if newCTX.SSL_CTX_set_cipher_list(cipherList) != 1: raiseSSLError() + when not defined(openssl10) and not defined(libressl): + let sslVersion = getOpenSSLVersion() + if sslVersion >= 0x010101000 and not sslVersion == 0x020000000: + # In OpenSSL >= 1.1.1, TLSv1.3 cipher suites can only be configured via + # this API. + if newCTX.SSL_CTX_set_ciphersuites(cipherList) != 1: + raiseSSLError() # Automatically the best ECDH curve for client exchange. Without this, ECDH # ciphers will be ignored by the server. # diff --git a/lib/wrappers/openssl.nim b/lib/wrappers/openssl.nim index a3825b801..c81176a9b 100644 --- a/lib/wrappers/openssl.nim +++ b/lib/wrappers/openssl.nim @@ -296,6 +296,7 @@ when compileOption("dynlibOverride", "ssl") or defined(noOpenSSLHacks): SSl_state(ssl) and SSL_ST_INIT else: proc SSL_in_init*(ssl: SslPtr): cint {.cdecl, dynlib: DLLSSLName, importc.} + proc SSL_CTX_set_ciphersuites*(ctx: SslCtx, str: cstring): cint {.cdecl, dynlib: DLLSSLName, importc.} template OpenSSL_add_all_algorithms*() = discard @@ -423,6 +424,10 @@ else: else: raiseInvalidLibrary MainProc + proc SSL_CTX_set_ciphersuites*(ctx: SslCtx, str: cstring): cint = + let theProc {.global.} = cast[proc(ctx: SslCtx, str: cstring) {.cdecl, gcsafe.}](sslSymThrows("SSL_CTX_set_ciphersuites")) + theProc(ctx, str) + proc ERR_load_BIO_strings*(){.cdecl, dynlib: DLLUtilName, importc.} proc SSL_new*(context: SslCtx): SslPtr{.cdecl, dynlib: DLLSSLName, importc.} |