From ee2a765758984f0563e5cf82e4877f9276ed24e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tam=C3=A1s=20B=C3=A1lint=20Misius?= <lbphacker@gmail.com>
Date: Sat, 3 Aug 2019 00:16:12 +0200
Subject: [PATCH] Only allow strong ciphers to be used

How fun it will be to keep this list up to date...
---
 src/client/http/Request.cpp | 4 ++++
 src/client/http/Request.h   | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/src/client/http/Request.cpp b/src/client/http/Request.cpp
index d42bf024e..ce50998f7 100644
--- a/src/client/http/Request.cpp
+++ b/src/client/http/Request.cpp
@@ -163,6 +163,10 @@ namespace http
 #else
 			curl_easy_setopt(easy, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS | CURLPROTO_HTTP);
 			curl_easy_setopt(easy, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS | CURLPROTO_HTTP);
+#endif
+			curl_easy_setopt(easy, CURLOPT_SSL_CIPHER_LIST, "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256");
+#ifdef REQUEST_USE_CURL_TLSV13CL
+			curl_easy_setopt(easy, CURLOPT_TLS13_CIPHERS, "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256");
 #endif
 			curl_easy_setopt(easy, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
 			curl_easy_setopt(easy, CURLOPT_MAXREDIRS, 10L);
diff --git a/src/client/http/Request.h b/src/client/http/Request.h
index e72f31b11..399085171 100644
--- a/src/client/http/Request.h
+++ b/src/client/http/Request.h
@@ -16,6 +16,10 @@
 # define REQUEST_USE_CURL_MIMEPOST
 #endif
 
+#if defined(CURL_AT_LEAST_VERSION) && CURL_AT_LEAST_VERSION(7, 61, 0)
+# define REQUEST_USE_CURL_TLSV13CL
+#endif
+
 namespace http
 {
 	class RequestManager;