From 88415e81b36917d3de66a02de432ea1fd3ad992b Mon Sep 17 00:00:00 2001
From: Geert Hendrickx <geert@hendrickx.be>
Date: Sun, 14 Jul 2024 15:46:28 +0200
Subject: Disable non-PFS ciphers, strongly discouraged by BCP RFC 7525 and
 9325 and to be formally deprecated by draft-ietf-tls-deprecate-obsolete-kex.

This should not cause any impact, with the minimum already at TLS 1.2+
See https://www.ssllabs.com/ssltest/clients.html
---
 xbmc/network/WebServer.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xbmc/network/WebServer.cpp b/xbmc/network/WebServer.cpp
index bbd8938faa..2f82a0d0d2 100644
--- a/xbmc/network/WebServer.cpp
+++ b/xbmc/network/WebServer.cpp
@@ -1192,7 +1192,7 @@ bool CWebServer::LoadCert(std::string& skey, std::string& scert)
 struct MHD_Daemon* CWebServer::StartMHD(unsigned int flags, int port)
 {
   unsigned int timeout = 60 * 60 * 24;
-  const char* ciphers = "NORMAL:-VERS-TLS1.0:-VERS-TLS1.1";
+  const char* ciphers = "PFS:-VERS-TLS1.0:-VERS-TLS1.1";
 
   MHD_set_panic_func(&panicHandlerForMHD, nullptr);
 
-- 
cgit v1.2.3