diff options
author | Geert Hendrickx <geert@hendrickx.be> | 2024-07-14 15:46:28 +0200 |
---|---|---|
committer | Geert Hendrickx <geert@hendrickx.be> | 2024-07-14 15:46:28 +0200 |
commit | 88415e81b36917d3de66a02de432ea1fd3ad992b (patch) | |
tree | f5f333f8c3549a2626b5c4636de9860fe6167e5f | |
parent | 4f903f0c9ea930e3abf75cfc0f6d08b8e37b0173 (diff) |
Disable non-PFS ciphers, strongly discouraged by BCP RFC 7525 and 9325
and to be formally deprecated by draft-ietf-tls-deprecate-obsolete-kex.
This should not cause any impact, with the minimum already at TLS 1.2+
See https://www.ssllabs.com/ssltest/clients.html
-rw-r--r-- | xbmc/network/WebServer.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/xbmc/network/WebServer.cpp b/xbmc/network/WebServer.cpp index bbd8938faa..2f82a0d0d2 100644 --- a/xbmc/network/WebServer.cpp +++ b/xbmc/network/WebServer.cpp @@ -1192,7 +1192,7 @@ bool CWebServer::LoadCert(std::string& skey, std::string& scert) struct MHD_Daemon* CWebServer::StartMHD(unsigned int flags, int port) { unsigned int timeout = 60 * 60 * 24; - const char* ciphers = "NORMAL:-VERS-TLS1.0:-VERS-TLS1.1"; + const char* ciphers = "PFS:-VERS-TLS1.0:-VERS-TLS1.1"; MHD_set_panic_func(&panicHandlerForMHD, nullptr); |