defensive-coding-guide/defensive-coding/pot/Features/snippets/TLS-Client-OpenSSL-CTX.pot

85 lines
2.6 KiB
Text

#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-03-12T03:19:44\n"
"PO-Revision-Date: 2013-03-12T03:19:44\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"// Configure a client connection context. Send a hendshake for the\n"
"// highest supported TLS version, and disable compression.\n"
"const SSL_METHOD *const req_method = SSLv23_client_method();\n"
"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n"
"if (ctx == NULL) {\n"
" ERR_print_errors(bio_err);\n"
" exit(1);\n"
"}\n"
"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n"
"\n"
"// Adjust the ciphers list based on a whitelist. First enable all\n"
"// ciphers of at least medium strength, to get the list which is\n"
"// compiled into OpenSSL.\n"
"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n"
" ERR_print_errors(bio_err);\n"
" exit(1);\n"
"}\n"
"{\n"
" // Create a dummy SSL session to obtain the cipher list.\n"
" SSL *ssl = SSL_new(ctx);\n"
" if (ssl == NULL) {\n"
" ERR_print_errors(bio_err);\n"
" exit(1);\n"
" }\n"
" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n"
" if (active_ciphers == NULL) {\n"
" ERR_print_errors(bio_err);\n"
" exit(1);\n"
" }\n"
" // Whitelist of candidate ciphers.\n"
" static const char *const candidates[] = {\n"
" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n"
" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n"
" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n"
" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n"
" NULL\n"
" };\n"
" // Actually selected ciphers.\n"
" char ciphers[300];\n"
" ciphers[0] = '\\0';\n"
" for (const char *const *c = candidates; *c; ++c) {\n"
" for (int i = 0; i &lt; sk_SSL_CIPHER_num(active_ciphers); ++i) {\n"
" if (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n"
" *c) == 0) {\n"
" if (*ciphers) {\n"
" strcat(ciphers, \":\");\n"
" }\n"
" strcat(ciphers, *c);\n"
" break;\n"
" }\n"
" }\n"
" }\n"
" SSL_free(ssl);\n"
" // Apply final cipher list.\n"
" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n"
" ERR_print_errors(bio_err);\n"
" exit(1);\n"
" }\n"
"}\n"
"\n"
"// Load the set of trusted root certificates.\n"
"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n"
" ERR_print_errors(bio_err);\n"
" exit(1);\n"
"}\n"
""
msgstr ""