tls: don't hardcode a default cypher list

The crypto layer (GnuTLS) will provide a acceptable default list if no cypher is provided. Refs #59541 Change-Id: I7114deb422c5cbaf34b27cfec29153a966a7af35

tls: don't hardcode a default cypher list
800e545a · Adrien Béraud · 5ccaff50 · 800e545a · 800e545a · 800e545a
Commit 800e545a authored Nov 12, 2014 by Adrien Béraud
--- a/daemon/src/dht/dhtaccount.cpp
+++ b/daemon/src/dht/dhtaccount.cpp
@@ -74,20 +74,6 @@

 constexpr const char * const DHTAccount::ACCOUNT_TYPE;

-const CipherArray DHTAccount::TLS_CIPHER_LIST = {
-    PJ_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
-    PJ_TLS_DH_RSA_WITH_AES_256_CBC_SHA256,
-    PJ_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
-    PJ_TLS_DH_RSA_WITH_AES_128_CBC_SHA256,
-    PJ_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
-    PJ_TLS_DH_RSA_WITH_AES_256_CBC_SHA,
-    PJ_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
-    PJ_TLS_RSA_WITH_AES_256_CBC_SHA256,
-    PJ_TLS_RSA_WITH_AES_256_CBC_SHA,
-    PJ_TLS_RSA_WITH_AES_128_CBC_SHA256,
-    PJ_TLS_RSA_WITH_AES_128_CBC_SHA
-};
-
 DHTAccount::DHTAccount(const std::string& accountID, bool /* presenceEnabled */)
    : SIPAccountBase(accountID)
 {
@@ -621,16 +607,13 @@ void DHTAccount::initTlsConfiguration()
    // TLS listener is unique and should be only modified through IP2IP_PROFILE
    pjsip_tls_setting_default(&tlsSetting_);

-    SFL_WARN("cacertPath_ : %s", cacertPath_.c_str());
-    SFL_WARN("certPath_ : %s", certPath_.c_str());
-    SFL_WARN("privkeyPath_ : %s", privkeyPath_.c_str());
-    pj_cstr(&tlsSetting_.ca_list_file, "");//cacertPath_.c_str()
+    pj_cstr(&tlsSetting_.ca_list_file, cacertPath_.c_str());
    pj_cstr(&tlsSetting_.cert_file, certPath_.c_str());
    pj_cstr(&tlsSetting_.privkey_file, privkeyPath_.c_str());
    pj_cstr(&tlsSetting_.password, "");
    tlsSetting_.method = PJSIP_TLSV1_METHOD;
-    tlsSetting_.ciphers_num = 0;//ciphers_.size();
-    tlsSetting_.ciphers = nullptr;//&ciphers_.front();
+    tlsSetting_.ciphers_num = 0;
+    tlsSetting_.ciphers = nullptr;
    tlsSetting_.verify_server = false;
    tlsSetting_.verify_client = false;
    tlsSetting_.require_client_cert = false;

--- a/daemon/src/dht/dhtaccount.h
+++ b/daemon/src/dht/dhtaccount.h
@@ -325,11 +325,6 @@ class DHTAccount : public SIPAccountBase {
         */
        pjsip_tls_setting tlsSetting_ {};

-        /**
-         * Allocate a vector to be used by pjsip to store the supported ciphers on this system.
-         */
-        CipherArray ciphers_ {TLS_CIPHER_LIST};
-
        /**
         * Optional: "received" parameter from VIA header
         */

--- a/daemon/src/sip/sipaccount.cpp
+++ b/daemon/src/sip/sipaccount.cpp
@@ -81,36 +81,10 @@ constexpr const char * const SIPAccount::ACCOUNT_TYPE;

 #if HAVE_TLS

-const CipherArray SIPAccount::TLSv1_DEFAULT_CIPHER_LIST = {
-    PJ_TLS_RSA_WITH_AES_256_CBC_SHA256,
-    PJ_TLS_RSA_WITH_AES_256_CBC_SHA,
-    PJ_TLS_RSA_WITH_AES_128_CBC_SHA256,
-    PJ_TLS_RSA_WITH_AES_128_CBC_SHA,
-    PJ_TLS_RSA_WITH_RC4_128_SHA,
-    PJ_TLS_RSA_WITH_RC4_128_MD5
-};
-
-const CipherArray SIPAccount::SSLv3_DEFAULT_CIPHER_LIST = {
-    PJ_TLS_RSA_WITH_AES_256_CBC_SHA256,
-    PJ_TLS_RSA_WITH_AES_256_CBC_SHA,
-    PJ_TLS_RSA_WITH_AES_128_CBC_SHA256,
-    PJ_TLS_RSA_WITH_AES_128_CBC_SHA,
-    PJ_TLS_RSA_WITH_RC4_128_SHA,
-    PJ_TLS_RSA_WITH_RC4_128_MD5
-};
-
-const CipherArray SIPAccount::SSLv23_DEFAULT_CIPHER_LIST = {
-    PJ_TLS_RSA_WITH_AES_256_CBC_SHA256,
-    PJ_TLS_RSA_WITH_AES_256_CBC_SHA,
-    PJ_TLS_RSA_WITH_AES_128_CBC_SHA256,
-    PJ_TLS_RSA_WITH_AES_128_CBC_SHA,
-    PJ_TLS_RSA_WITH_RC4_128_SHA,
-    PJ_TLS_RSA_WITH_RC4_128_MD5,
-    PJ_SSL_CK_DES_192_EDE3_CBC_WITH_MD5,
-    PJ_SSL_CK_RC4_128_WITH_MD5,
-    PJ_SSL_CK_IDEA_128_CBC_WITH_MD5,
-    PJ_SSL_CK_RC2_128_CBC_WITH_MD5,
-};
+// Empty cypher list will use default cypher list for the transport type on GnuTLS
+const CipherArray SIPAccount::TLSv1_DEFAULT_CIPHER_LIST = {};
+const CipherArray SIPAccount::SSLv3_DEFAULT_CIPHER_LIST = {};
+const CipherArray SIPAccount::SSLv23_DEFAULT_CIPHER_LIST = {};

 #endif