Skip to content

Commit a0dd549

Browse files
achingbrainachingbrain
committed
fix: constrain DTLS cipher list
Reduces the number of supported ciphers to ensure Client Hello messages are not fragmented, `ECDHE-ECDSA-AES128-GCM-SHA256` takes priority and older insecure ciphers are not used. Fixes #1333
1 parent 173d97a commit a0dd549

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

src/impl/dtlstransport.cpp

+1-1
Original file line numberDiff line numberDiff line change
@@ -761,7 +761,7 @@ DtlsTransport::DtlsTransport(shared_ptr<IceTransport> lower, certificate_ptr cer
761761
CertificateCallback);
762762
SSL_CTX_set_verify_depth(mCtx, 1);
763763

764-
openssl::check(SSL_CTX_set_cipher_list(mCtx, "ALL:!LOW:!EXP:!RC4:!MD5:@STRENGTH"),
764+
openssl::check(SSL_CTX_set_cipher_list(mCtx, "ALL:!SHA256:!SHA384:!aPSK:!ECDSA+SHA1:!ADH:!LOW:!EXP:!MD5:!3DES:!SSLv3:!TLSv1"),
765765
"Failed to set SSL priorities");
766766

767767
#if OPENSSL_VERSION_NUMBER >= 0x30000000

0 commit comments

Comments
 (0)