Commit b9300629 authored by Adrien Béraud's avatar Adrien Béraud Committed by Guillaume Roguez

security: use better PFS priority string

This patch changes the TLS priority string to remove RSA key-exchange
algorithms from current cipher suites (based on SECURE192).

This let DH key-exchange the only remaining algorithms.
Notice that we use a minimal of 2048-bits DH params
by using GNUTLS_SEC_PARAM_NORMAL settings
in the gnutls_sec_param_to_pk_bits function.

Using this priority makes audio and video calls forward secure,
a significant security and privacy feature for Ring users.

Tuleap: #383
Change-Id: Iabf51bb52617354c34410d15ee96e0be90acee55
parent c8f451e4
......@@ -39,7 +39,7 @@
namespace ring { namespace tls {
static constexpr int DTLS_MTU {1400}; // limit for networks like ADSL
static constexpr const char* TLS_PRIORITY_STRING {"SECURE192:-VERS-TLS-ALL:+VERS-DTLS-ALL:%SERVER_PRECEDENCE"};
static constexpr const char* TLS_PRIORITY_STRING {"SECURE192:-RSA:-VERS-TLS-ALL:+VERS-DTLS-ALL:%SERVER_PRECEDENCE"};
static constexpr ssize_t FLOOD_THRESHOLD {4*1024};
static constexpr auto FLOOD_PAUSE = std::chrono::milliseconds(100); // Time to wait after an invalid cookie packet (anti flood attack)
static constexpr std::size_t INPUT_MAX_SIZE {1000}; // Maximum packet to store before dropping (pkt size = DTLS_MTU)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment