Skip to content

Commit f87fbe9

Browse files
ansasakiansasaki
committed
crypto: Enable TLS 1.3
The agent server used the SslAcceptor::mozilla_intermediate() which disables TLS 1.3 and restricts the TLS 1.2 ciphers to: TLSv1.2: ciphers: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) With this change TLS 1.3 is enabled. The following ciphers are accepted: TLSv1.2: ciphers: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) TLSv1.3: ciphers: TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
1 parent 06c59ea commit f87fbe9

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

keylime/src/crypto.rs

+1-1
Original file line numberDiff line numberDiff line change
@@ -655,7 +655,7 @@ pub fn generate_tls_context(
655655
key: &PKey<Private>,
656656
ca_certs: Vec<X509>,
657657
) -> Result<SslAcceptorBuilder, CryptoError> {
658-
let mut ssl_context_builder = SslAcceptor::mozilla_intermediate(
658+
let mut ssl_context_builder = SslAcceptor::mozilla_intermediate_v5(
659659
SslMethod::tls(),
660660
)
661661
.map_err(|source| CryptoError::SSLContextBuilderError {

0 commit comments

Comments
 (0)