aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGeert Hendrickx <geert@hendrickx.be>2024-07-14 15:46:28 +0200
committerGeert Hendrickx <geert@hendrickx.be>2024-07-14 15:46:28 +0200
commit88415e81b36917d3de66a02de432ea1fd3ad992b (patch)
treef5f333f8c3549a2626b5c4636de9860fe6167e5f
parent4f903f0c9ea930e3abf75cfc0f6d08b8e37b0173 (diff)
Disable non-PFS ciphers, strongly discouraged by BCP RFC 7525 and 9325
and to be formally deprecated by draft-ietf-tls-deprecate-obsolete-kex. This should not cause any impact, with the minimum already at TLS 1.2+ See https://www.ssllabs.com/ssltest/clients.html
-rw-r--r--xbmc/network/WebServer.cpp2
1 files changed, 1 insertions, 1 deletions
diff --git a/xbmc/network/WebServer.cpp b/xbmc/network/WebServer.cpp
index bbd8938faa..2f82a0d0d2 100644
--- a/xbmc/network/WebServer.cpp
+++ b/xbmc/network/WebServer.cpp
@@ -1192,7 +1192,7 @@ bool CWebServer::LoadCert(std::string& skey, std::string& scert)
struct MHD_Daemon* CWebServer::StartMHD(unsigned int flags, int port)
{
unsigned int timeout = 60 * 60 * 24;
- const char* ciphers = "NORMAL:-VERS-TLS1.0:-VERS-TLS1.1";
+ const char* ciphers = "PFS:-VERS-TLS1.0:-VERS-TLS1.1";
MHD_set_panic_func(&panicHandlerForMHD, nullptr);