void ssl_cipher_preference_list_free (struct ssl_cipher_preference_list_st *cipher_list);
-int
+MONO_API int
mono_btls_ssl_ctx_is_debug_enabled (MonoBtlsSslCtx *ctx)
{
return ctx->debug_bio != NULL;
}
-int
+MONO_API int
mono_btls_ssl_ctx_debug_printf (MonoBtlsSslCtx *ctx, const char *format, ...)
{
va_list args;
return ret;
}
-MonoBtlsSslCtx *
+MONO_API MonoBtlsSslCtx *
mono_btls_ssl_ctx_new (void)
{
MonoBtlsSslCtx *ctx;
memset (ctx, 0, sizeof (MonoBtlsSslCtx));
ctx->references = 1;
ctx->ctx = SSL_CTX_new (TLS_method ());
+
+ // enable the default ciphers but disable any RC4 based ciphers
+ // since they're insecure: RFC 7465 "Prohibiting RC4 Cipher Suites"
+ SSL_CTX_set_cipher_list (ctx->ctx, "DEFAULT:!RC4");
+
+ // disable SSLv2 and SSLv3 by default, they are deprecated
+ // and should generally not be used according to the openssl docs
+ SSL_CTX_set_options (ctx->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+
return ctx;
}
-MonoBtlsSslCtx *
+MONO_API MonoBtlsSslCtx *
mono_btls_ssl_ctx_up_ref (MonoBtlsSslCtx *ctx)
{
CRYPTO_refcount_inc (&ctx->references);
return ctx;
}
-int
+MONO_API int
mono_btls_ssl_ctx_free (MonoBtlsSslCtx *ctx)
{
if (!CRYPTO_refcount_dec_and_test_zero (&ctx->references))
return 1;
}
-SSL_CTX *
+MONO_API SSL_CTX *
mono_btls_ssl_ctx_get_ctx (MonoBtlsSslCtx *ctx)
{
return ctx->ctx;
}
-void
+MONO_API void
mono_btls_ssl_ctx_set_debug_bio (MonoBtlsSslCtx *ctx, BIO *debug_bio)
{
if (debug_bio)
ctx->debug_bio = NULL;
}
-void
+MONO_API void
mono_btls_ssl_ctx_initialize (MonoBtlsSslCtx *ctx, void *instance)
{
ctx->instance = instance;
return ret;
}
-void
+MONO_API void
mono_btls_ssl_ctx_set_cert_verify_callback (MonoBtlsSslCtx *ptr, MonoBtlsVerifyFunc func, int cert_required)
{
int mode;
return ret;
}
-void
+MONO_API void
mono_btls_ssl_ctx_set_cert_select_callback (MonoBtlsSslCtx *ptr, MonoBtlsSelectFunc func)
{
ptr->select_func = func;
SSL_CTX_set_cert_cb (ptr->ctx, cert_select_callback, ptr);
}
-X509_STORE *
+MONO_API X509_STORE *
mono_btls_ssl_ctx_peek_store (MonoBtlsSslCtx *ctx)
{
return SSL_CTX_get_cert_store (ctx->ctx);
}
-void
+MONO_API void
mono_btls_ssl_ctx_set_min_version (MonoBtlsSslCtx *ctx, int version)
{
SSL_CTX_set_min_version (ctx->ctx, version);
}
-void
+MONO_API void
mono_btls_ssl_ctx_set_max_version (MonoBtlsSslCtx *ctx, int version)
{
SSL_CTX_set_max_version (ctx->ctx, version);
}
-int
+MONO_API int
mono_btls_ssl_ctx_is_cipher_supported (MonoBtlsSslCtx *ctx, uint16_t value)
{
const SSL_CIPHER *cipher;
return cipher != NULL;
}
-int
+MONO_API int
mono_btls_ssl_ctx_set_ciphers (MonoBtlsSslCtx *ctx, int count, const uint16_t *data,
int allow_unsupported)
{
return 0;
}
-int
+MONO_API int
mono_btls_ssl_ctx_set_verify_param (MonoBtlsSslCtx *ctx, const MonoBtlsX509VerifyParam *param)
{
return SSL_CTX_set1_param (ctx->ctx, mono_btls_x509_verify_param_peek_param (param));