Disable non-PFS ciphers, strongly discouraged by BCP RFC 7525 and 9325

and to be formally deprecated by draft-ietf-tls-deprecate-obsolete-kex. This should not cause any impact, with the minimum already at TLS 1.2+ See https://www.ssllabs.com/ssltest/clients.html
author: Geert Hendrickx <geert@hendrickx.be> 2024-07-14 15:46:28 +0200
committer: Geert Hendrickx <geert@hendrickx.be> 2024-07-14 15:46:28 +0200
commit: 88415e81b36917d3de66a02de432ea1fd3ad992b (patch)
tree: f5f333f8c3549a2626b5c4636de9860fe6167e5f
parent: 4f903f0c9ea930e3abf75cfc0f6d08b8e37b0173 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/xbmc/network/WebServer.cpp b/xbmc/network/WebServer.cpp
index bbd8938faa..2f82a0d0d2 100644
--- a/xbmc/network/WebServer.cpp
+++ b/xbmc/network/WebServer.cpp
@@ -1192,7 +1192,7 @@ bool CWebServer::LoadCert(std::string& skey, std::string& scert)
 struct MHD_Daemon* CWebServer::StartMHD(unsigned int flags, int port)
 {
   unsigned int timeout = 60 * 60 * 24;
-  const char* ciphers = "NORMAL:-VERS-TLS1.0:-VERS-TLS1.1";
+  const char* ciphers = "PFS:-VERS-TLS1.0:-VERS-TLS1.1";
 
   MHD_set_panic_func(&panicHandlerForMHD, nullptr);
author	Geert Hendrickx <geert@hendrickx.be>	2024-07-14 15:46:28 +0200
committer	Geert Hendrickx <geert@hendrickx.be>	2024-07-14 15:46:28 +0200
commit	88415e81b36917d3de66a02de432ea1fd3ad992b (patch)
tree	f5f333f8c3549a2626b5c4636de9860fe6167e5f
parent	4f903f0c9ea930e3abf75cfc0f6d08b8e37b0173 (diff)