Archives
/
SSLproxy
mirror of https://github.com/sonertari/SSLproxy
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
develop
master
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.7.0
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.9.0
v0.9.1
v0.9.2
v0.9.3
v0.9.4
v0.9.5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
SSLproxy/src/defaults.h

106 lines
4.1 KiB
C
Raw Permalink Blame History

/*-
* SSLsplit - transparent SSL/TLS interception
* https://www.roe.ch/SSLsplit
*
* Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS''
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef DEFAULTS_H
#define DEFAULTS_H
/*
* Defaults for convenient tweaking or patching.
*/
/*
* User to drop privileges to by default. This user needs to be allowed to
* create outbound TCP connections, and in some configurations, perform DNS
* resolution.
*
* Packagers may want to use a specific service user account instead of
* overloading nobody with yet another use case. Using nobody for source
* builds makes sense because chances are high that it exists. Good practice
* is to create a dedicated user for sslsplit.
*
* Make sure to also patch the manual page if you patch this.
*/
#define DFLT_DROPUSER "nobody"
/*
* Default file and directory modes for newly created files and directories
* created as part of e.g. logging. The default is to use full permissions
* subject to the system's umask, as is the default for system utilities.
* Use a more restrictive mode for the PID file.
*/
#define DFLT_DIRMODE 0777
#define DFLT_FILEMODE 0666
#define DFLT_PIDFMODE 0644
/*
* Default ciphers spec.
* Use 'openssl ciphers -v spec' to see what ciphers are effectively enabled
* by a ciphers spec with a given version of OpenSSL.
*/
#define DFLT_CIPHERS "ALL:-aNULL"
/*
* Default ciphersuites spec.
* Use 'openssl ciphers -v spec' to see what ciphersuites are effectively enabled
* by a ciphersuites spec with a given version of OpenSSL.
* The ciphersuites spec is for TLS 1.3.
*/
#define DFLT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
/*
* Default elliptic curve for EC cipher suites.
*/
#define DFLT_CURVE "prime256v1"
/*
* Default leaf key RSA keysize in bits.
*
* While implementations still generally accepted leaf keys of 1024 bits in
* size, we used 1024 for leaf keys. As implementations are starting to sunset
* 1024 bit RSA not only for CA keys, but also for leaf keys, we now use a 2048
* bit key size for the leaf cert key in order to maximize interoperability in
* default config.
*
* Users who want a different size, for example 1024 bit RSA for performance,
* can always use their own pre-generated leaf key using the -K option instead
* of generating one automatically.
*
* Refer to the following resources on key sizes accepted by different
* implementations. Note that OpenSSL security level restrictions potentially
* apply to both sslsplit and all of the clients and servers using OpenSSL.
*
* OpenSSL:
* https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_get_security_level.html
* https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_get_security_level.html
*/
#define DFLT_LEAFKEY_RSABITS 2048
#endif /* !DEFAULTS_H */
/* vim: set noet ft=c: */
Reference in New Issue View Git Blame Copy Permalink