diff options
| author | 2025-04-02 11:02:05 +0100 | |
|---|---|---|
| committer | 2025-04-03 01:06:36 +0100 | |
| commit | 2374aa02748306ec55e78e68e3e5e7677aab12b9 (patch) | |
| tree | baf21db1b372d90badca37be658e31cf71a87f59 | |
| parent | Release v4.7.0. (diff) | |
Add <sslprofile:securitylevel>.
This allows enforcing a minimum security level on the provided
cert and key. We can use this in the future to squish insecure
config.
| -rw-r--r-- | src/modules/extra/m_ssl_openssl.cpp | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index d3cfa0728..149486e19 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -247,6 +247,11 @@ namespace OpenSSL } } + void SetSecurityLevel(int securitylevel) + { + SSL_CTX_set_security_level(ctx, securitylevel); + } + long GetDefaultContextOptions() const { return ctx_options; @@ -419,6 +424,10 @@ namespace OpenSSL SetContextOptions("server", tag, ctx); SetContextOptions("client", tag, clientctx); + const auto securitylevel = tag->getNum<int>("securitylevel", 0, 0, 10); + if (securitylevel) + ctx.SetSecurityLevel(securitylevel); + /* Load our keys and certificates * NOTE: OpenSSL's error logging API sucks, don't blame us for this clusterfuck. */ |
