OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
3 * | 3 * |
4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
9 */ | 9 */ |
10 | 10 |
(...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
63 {"AES_CM_128_HMAC_SHA1_80", SRTP_AES128_CM_HMAC_SHA1_80 }, | 63 {"AES_CM_128_HMAC_SHA1_80", SRTP_AES128_CM_HMAC_SHA1_80 }, |
64 {"AES_CM_128_HMAC_SHA1_32", SRTP_AES128_CM_HMAC_SHA1_32 }, | 64 {"AES_CM_128_HMAC_SHA1_32", SRTP_AES128_CM_HMAC_SHA1_32 }, |
65 {NULL, 0} | 65 {NULL, 0} |
66 }; | 66 }; |
67 #endif | 67 #endif |
68 | 68 |
69 // Ciphers to enable to get ECDHE encryption with endpoints that support it. | 69 // Ciphers to enable to get ECDHE encryption with endpoints that support it. |
70 static const uint32_t kEnabledCiphers[] = { | 70 static const uint32_t kEnabledCiphers[] = { |
71 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, | 71 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, |
72 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | 72 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, |
73 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, | |
juberti1
2015/06/26 19:16:01
this should be ECDHE
torbjorng (webrtc)
2015/07/02 12:35:07
Done.
| |
74 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | |
juberti1
2015/06/26 19:16:01
we don't want the AES-256 variant. this should be
torbjorng (webrtc)
2015/07/02 12:35:07
Done.
| |
73 }; | 75 }; |
74 | 76 |
75 // Default cipher used between NSS stream adapters. | 77 // Default cipher used between NSS stream adapters. |
76 // This needs to be updated when the default of the SSL library changes. | 78 // This needs to be updated when the default of the SSL library changes. |
77 static const char kDefaultSslCipher10[] = | 79 static const char kDefaultSslCipher10[] = |
78 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"; | 80 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"; |
79 static const char kDefaultSslCipher12[] = | 81 static const char kDefaultSslCipher12[] = |
80 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; | 82 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; |
81 | 83 |
82 | 84 |
(...skipping 405 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
488 | 490 |
489 if (identity_.get()) { | 491 if (identity_.get()) { |
490 identity = static_cast<NSSIdentity *>(identity_.get()); | 492 identity = static_cast<NSSIdentity *>(identity_.get()); |
491 } else { | 493 } else { |
492 LOG(LS_ERROR) << "Can't be an SSL server without an identity"; | 494 LOG(LS_ERROR) << "Can't be an SSL server without an identity"; |
493 Error("BeginSSL", -1, false); | 495 Error("BeginSSL", -1, false); |
494 return -1; | 496 return -1; |
495 } | 497 } |
496 rv = SSL_ConfigSecureServer(ssl_fd_, identity->certificate().certificate(), | 498 rv = SSL_ConfigSecureServer(ssl_fd_, identity->certificate().certificate(), |
497 identity->keypair()->privkey(), | 499 identity->keypair()->privkey(), |
498 kt_rsa); | 500 identity->keypair()->ssl_kea_type()); |
499 if (rv != SECSuccess) { | 501 if (rv != SECSuccess) { |
500 Error("BeginSSL", -1, false); | 502 Error("BeginSSL", -1, false); |
501 return -1; | 503 return -1; |
502 } | 504 } |
503 | 505 |
504 // Insist on a certificate from the client | 506 // Insist on a certificate from the client |
505 rv = SSL_OptionSet(ssl_fd_, SSL_REQUEST_CERTIFICATE, PR_TRUE); | 507 rv = SSL_OptionSet(ssl_fd_, SSL_REQUEST_CERTIFICATE, PR_TRUE); |
506 if (rv != SECSuccess) { | 508 if (rv != SECSuccess) { |
507 Error("BeginSSL", -1, false); | 509 Error("BeginSSL", -1, false); |
508 return -1; | 510 return -1; |
(...skipping 591 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1100 return kDefaultSslCipher10; | 1102 return kDefaultSslCipher10; |
1101 case SSL_PROTOCOL_TLS_12: | 1103 case SSL_PROTOCOL_TLS_12: |
1102 default: | 1104 default: |
1103 return kDefaultSslCipher12; | 1105 return kDefaultSslCipher12; |
1104 } | 1106 } |
1105 } | 1107 } |
1106 | 1108 |
1107 } // namespace rtc | 1109 } // namespace rtc |
1108 | 1110 |
1109 #endif // HAVE_NSS_SSL_H | 1111 #endif // HAVE_NSS_SSL_H |
OLD | NEW |