From 1fb2a58674dd8136b246c7499cd295e85484d8c3 Mon Sep 17 00:00:00 2001
From: Leorize <leorize+oss@disroot.org>
Date: Wed, 3 Jun 2020 17:02:18 -0500
Subject: net: use a secure cipher list by default

Previously, the `net` module use the blanket "ALL" as the default cipher
list. This list may contain security ciphers that are weak and/or outdated
according to the current standard.

This commit introduces a new module `ssl_config` that contains the
latest OpenSSL configurations as recommended by Mozilla OpSec, and
make the `net` module use the cipher list targeting `intermediate`
compatibility level as the default.
---
 lib/pure/net.nim | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lib/pure/net.nim')

diff --git a/lib/pure/net.nim b/lib/pure/net.nim
index af66c3a15..a5643330e 100644
--- a/lib/pure/net.nim
+++ b/lib/pure/net.nim
@@ -68,6 +68,7 @@ import std/private/since
 
 import nativesockets, os, strutils, times, sets, options, std/monotimes
 from ssl_certs import scanSSLCertificates
+import ssl_config
 export nativesockets.Port, nativesockets.`$`, nativesockets.`==`
 export Domain, SockType, Protocol
 
@@ -533,7 +534,7 @@ when defineSsl:
         raiseSSLError("Verification of private key file failed.")
 
   proc newContext*(protVersion = protSSLv23, verifyMode = CVerifyPeer,
-                   certFile = "", keyFile = "", cipherList = "ALL",
+                   certFile = "", keyFile = "", cipherList = CiphersIntermediate,
                    caDir = "", caFile = ""): SSLContext =
     ## Creates an SSL context.
     ##
-- 
cgit 1.4.1-2-gfad0