rippled
Functions | Variables
ripple::openssl::detail Namespace Reference

Functions

static void initAnonymous (boost::asio::ssl::context &context)
 
static void initAuthenticated (boost::asio::ssl::context &context, std::string const &key_file, std::string const &cert_file, std::string const &chain_file)
 
std::shared_ptr< boost::asio::ssl::context > get_context (std::string cipherList)
 

Variables

int defaultRSAKeyBits = 2048
 The default strength of self-signed RSA certifices. More...
 
static constexpr const char defaultDH []
 The default DH parameters. More...
 
const std::string defaultCipherList = "TLSv1.2:!CBC:!DSS:!PSK:!eNULL:!aNULL"
 The default list of ciphers we accept over TLS. More...
 

Function Documentation

◆ initAnonymous()

static void ripple::openssl::detail::initAnonymous ( boost::asio::ssl::context &  context)
static

Definition at line 86 of file make_SSLContext.cpp.

◆ initAuthenticated()

static void ripple::openssl::detail::initAuthenticated ( boost::asio::ssl::context &  context,
std::string const &  key_file,
std::string const &  cert_file,
std::string const &  chain_file 
)
static

Definition at line 228 of file make_SSLContext.cpp.

◆ get_context()

std::shared_ptr<boost::asio::ssl::context> ripple::openssl::detail::get_context ( std::string  cipherList)

Definition at line 326 of file make_SSLContext.cpp.

Variable Documentation

◆ defaultRSAKeyBits

int ripple::openssl::detail::defaultRSAKeyBits = 2048

The default strength of self-signed RSA certifices.

Per NIST Special Publication 800-57 Part 3, 2048-bit RSA is still considered acceptably secure. Generally, we would want to go above and beyond such recommendations (e.g. by using 3072 or 4096 bits) but there is a computational cost associated with that may not be worth paying, considering that:

  • We regenerate a new ephemeral certificate and a securely generated random private key every time the server is started; and

  • There should not be any truly secure information (e.g. seeds or private keys) that gets relayed to the server anyways over these RPCs.

    Note
    If you increase the number of bits you need to generate new default DH parameters and update defaultDH accordingly.

Definition at line 45 of file make_SSLContext.cpp.

◆ defaultDH

constexpr const char ripple::openssl::detail::defaultDH[]
staticconstexpr
Initial value:
=
"-----BEGIN DH PARAMETERS-----\n"
"MIIBCAKCAQEApKSWfR7LKy0VoZ/SDCObCvJ5HKX2J93RJ+QN8kJwHh+uuA8G+t8Q\n"
"MDRjL5HanlV/sKN9HXqBc7eqHmmbqYwIXKUt9MUZTLNheguddxVlc2IjdP5i9Ps8\n"
"l7su8tnP0l1JvC6Rfv3epRsEAw/ZW/lC2IwkQPpOmvnENQhQ6TgrUzcGkv4Bn0X6\n"
"pxrDSBpZ+45oehGCUAtcbY8b02vu8zPFoxqo6V/+MIszGzldlik5bVqrJpVF6E8C\n"
"tRqHjj6KuDbPbjc+pRGvwx/BSO3SULxmYu9J1NOk090MU1CMt6IJY7TpEc9Xrac9\n"
"9yqY3xXZID240RRcaJ25+U4lszFPqP+CEwIBAg==\n"
"-----END DH PARAMETERS-----"

The default DH parameters.

These were generated using the OpenSSL command: openssl dhparam 2048 by Nik Bougalis nikb@.nosp@m.boug.nosp@m.alis..nosp@m.net on May, 29, 2022.

It is safe to use this, but if you want you can generate different parameters and put them here. There's no easy way to change this via the config file at this time.

Note
If you increase the number of bits you need to update defaultRSAKeyBits accordingly.

Definition at line 59 of file make_SSLContext.cpp.

◆ defaultCipherList

const std::string ripple::openssl::detail::defaultCipherList = "TLSv1.2:!CBC:!DSS:!PSK:!eNULL:!aNULL"

The default list of ciphers we accept over TLS.

Generally we include cipher suites that are part of TLS v1.2, but we specifically exclude:

  • the DSS cipher suites (!DSS);
  • cipher suites using pre-shared keys (!PSK);
  • cipher suites that don't offer encryption (!eNULL); and
  • cipher suites that don't offer authentication (!aNULL).
Note
Server administrators can override this default list, on either a global or per-port basis, using the ssl_ciphers directive in the config file.

Definition at line 83 of file make_SSLContext.cpp.

Generated by   doxygen 1.8.17