improved Mojo::IOLoop::Server to reuse cipher list from IO::Socket::SSL

mojolicious · Apr 25, 2014 · 5e24045 · 5e24045
1 parent bf57785
commit 5e24045
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 11 deletions.
diff --git a/Changes b/Changes
@@ -1,5 +1,6 @@
 
-4.95  2014-04-21
+4.95  2014-04-25
+  - Improved Mojo::IOLoop::Server to reuse cipher list from IO::Socket::SSL.
 
 4.94  2014-04-20
   - Added reverse_proxy attribute to Mojo::Server::Daemon.

diff --git a/lib/Mojo/IOLoop/Server.pm b/lib/Mojo/IOLoop/Server.pm
@@ -89,18 +89,16 @@ sub listen {
   return unless $args->{tls};
   croak "IO::Socket::SSL 1.84 required for TLS support" unless TLS;
 
-  # Prioritize RC4 to mitigate BEAST attack
-  $self->{tls} = {
-    SSL_ca_file => $args->{tls_ca}
-      && -T $args->{tls_ca} ? $args->{tls_ca} : undef,
+  my $tls = $self->{tls} = {
     SSL_cert_file => $args->{tls_cert} || $CERT,
-    SSL_cipher_list => $args->{tls_ciphers}
-      // 'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH',
     SSL_honor_cipher_order => 1,
     SSL_key_file           => $args->{tls_key} || $KEY,
     SSL_startHandshake     => 0,
     SSL_verify_mode => $args->{tls_verify} // $args->{tls_ca} ? 0x03 : 0x00
   };
+  $tls->{SSL_ca_file} = $args->{tls_ca}
+    if $args->{tls_ca} && -T $args->{tls_ca};
+  $tls->{SSL_cipher_list} = $args->{tls_ciphers} if $args->{tls_ciphers};
 }
 
 sub start {
@@ -288,8 +286,7 @@ Path to the TLS cert file, defaults to a built-in test certificate.
 
   tls_ciphers => 'AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH'
 
-Cipher specification string, defaults to
-C<ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH>.
+Cipher specification string.
 
 =item tls_key
 

diff --git a/lib/Mojo/Server/Daemon.pm b/lib/Mojo/Server/Daemon.pm
@@ -373,8 +373,7 @@ Path to the TLS cert file, defaults to a built-in test certificate.
 
   ciphers=AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
 
-Cipher specification string, defaults to
-C<ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH>.
+Cipher specification string.
 
 =item key