[src/trunk]: src/libexec/httpd extend the list of available ciphers to includ...

[mrg <mrg%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/ff9fe1505116
branches:  trunk
changeset: 1023107:ff9fe1505116
user:      mrg <mrg%NetBSD.org@localhost>
date:      Tue Aug 24 09:53:26 2021 +0000

description:
extend the list of available ciphers to include most of the
openssl "HIGH" with some additional disables.  retain the current
list of bad options.  should deal with PR#51278.

diffstat:

 libexec/httpd/CHANGES    |   5 ++++-
 libexec/httpd/ssl-bozo.c |  15 ++++++++++-----
 2 files changed, 14 insertions(+), 6 deletions(-)

diffs (45 lines):

diff -r 502bfaa91baa -r ff9fe1505116 libexec/httpd/CHANGES
--- a/libexec/httpd/CHANGES     Tue Aug 24 09:47:36 2021 +0000
+++ b/libexec/httpd/CHANGES     Tue Aug 24 09:53:26 2021 +0000
@@ -1,8 +1,11 @@
-$NetBSD: CHANGES,v 1.50 2021/08/24 09:47:36 mrg Exp $
+$NetBSD: CHANGES,v 1.51 2021/08/24 09:53:26 mrg Exp $
 
 changes in bozohttpd 20210824:
        o  new "-m tlsversion" option to set the minimum TLS version
           available.  partially from <sunil%nimmagadda.net@localhost>.
+       o  extend the list of available ciphers to include most of the
+          openssl "HIGH" with some additional disables.  retain the current
+          list of bad options.  should deal with PR#51278.
 
 changes in bozohttpd 20210504:
        o  don't assume host BUFSIZ is sufficent.  small BUFSIZ leads to
diff -r 502bfaa91baa -r ff9fe1505116 libexec/httpd/ssl-bozo.c
--- a/libexec/httpd/ssl-bozo.c  Tue Aug 24 09:47:36 2021 +0000
+++ b/libexec/httpd/ssl-bozo.c  Tue Aug 24 09:53:26 2021 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ssl-bozo.c,v 1.30 2021/08/24 09:47:36 mrg Exp $        */
+/*     $NetBSD: ssl-bozo.c,v 1.31 2021/08/24 09:53:26 mrg Exp $        */
 
 /*     $eterna: ssl-bozo.c,v 1.15 2011/11/18 09:21:15 mrg Exp $        */
 
@@ -51,10 +51,15 @@
 
 #ifndef BOZO_SSL_CIPHERS
 #define BOZO_SSL_CIPHERS                                       \
-       "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:"           \
-       "AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:"           \
-       "AES:"                                                  \
-       "-SHA:"                                                 \
+       "HIGH:"                                                 \
+       "-SHA:-ADH:"                                            \
+       "-PSK-AES128-CCM:-PSK-AES256-CCM:"                      \
+       "-DHE-PSK-AES128-CCM8:-DHE-PSK-AES256-CCM8:"            \
+       "-AES128-CCM8:-AES256-CCM8:"                            \
+       "-DHE-RSA-AES128-CCM8:-DHE-RSA-AES256-CCM8:"            \
+       "-PSK-AES128-CCM8:-PSK-AES256-CCM8:"                    \
+       "-CAMELLIA128:-CAMELLIA256:"                            \
+       "-RSA-PSK-CHACHA20-POLY1305:"                           \
        "!aNULL:!eNULL:"                                        \
        "!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:"                   \
        "!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:"          \