xrpld
Loading...
Searching...
No Matches
Functions | Variables
xrpl::openssl::detail Namespace Reference

Functions

static void initAnonymous (boost::asio::ssl::context &context)
static void initAuthenticated (boost::asio::ssl::context &context, std::string const &keyFile, std::string const &certFile, std::string const &chainFile)
std::shared_ptr< boost::asio::ssl::context > getContext (std::string cipherList)

Variables

int gDefaultRsaKeyBits = 2048
 The default strength of self-signed RSA certificates.
static constexpr char kDefaultDh []
 The default DH parameters.
std::string const kDefaultCipherList = "TLSv1.2:!CBC:!DSS:!PSK:!eNULL:!aNULL"
 The default list of ciphers we accept over TLS.

Function Documentation

◆ initAnonymous()

void xrpl::openssl::detail::initAnonymous ( boost::asio::ssl::context & context)
static

Definition at line 90 of file make_SSLContext.cpp.

◆ initAuthenticated()

void xrpl::openssl::detail::initAuthenticated ( boost::asio::ssl::context & context,
std::string const & keyFile,
std::string const & certFile,
std::string const & chainFile )
static

Definition at line 226 of file make_SSLContext.cpp.

◆ getContext()

std::shared_ptr< boost::asio::ssl::context > xrpl::openssl::detail::getContext ( std::string cipherList)

Definition at line 322 of file make_SSLContext.cpp.

Variable Documentation

◆ gDefaultRsaKeyBits

int xrpl::openssl::detail::gDefaultRsaKeyBits = 2048

The default strength of self-signed RSA certificates.

Per NIST Special Publication 800-57 Part 3, 2048-bit RSA is still considered acceptably secure. Generally, we would want to go above and beyond such recommendations (e.g. by using 3072 or 4096 bits) but there is a computational cost associated with that may not be worth paying, considering that:

  • We regenerate a new ephemeral certificate and a securely generated random private key every time the server is started; and

  • There should not be any truly secure information (e.g. seeds or private keys) that gets relayed to the server anyways over these RPCs.

    Note
    If you increase the number of bits you need to generate new default DH parameters and update defaultDH accordingly.

Definition at line 49 of file make_SSLContext.cpp.

◆ kDefaultDh

char xrpl::openssl::detail::kDefaultDh[]
staticconstexpr
Initial value:
=
"-----BEGIN DH PARAMETERS-----\n"
"MIIBCAKCAQEApKSWfR7LKy0VoZ/SDCObCvJ5HKX2J93RJ+QN8kJwHh+uuA8G+t8Q\n"
"MDRjL5HanlV/sKN9HXqBc7eqHmmbqYwIXKUt9MUZTLNheguddxVlc2IjdP5i9Ps8\n"
"l7su8tnP0l1JvC6Rfv3epRsEAw/ZW/lC2IwkQPpOmvnENQhQ6TgrUzcGkv4Bn0X6\n"
"pxrDSBpZ+45oehGCUAtcbY8b02vu8zPFoxqo6V/+MIszGzldlik5bVqrJpVF6E8C\n"
"tRqHjj6KuDbPbjc+pRGvwx/BSO3SULxmYu9J1NOk090MU1CMt6IJY7TpEc9Xrac9\n"
"9yqY3xXZID240RRcaJ25+U4lszFPqP+CEwIBAg==\n"
"-----END DH PARAMETERS-----"

The default DH parameters.

These were generated using the OpenSSL command: openssl dhparam 2048 by Nik Bougalis nikb@.nosp@m.boug.nosp@m.alis..nosp@m.net on May, 29, 2022.

It is safe to use this, but if you want you can generate different parameters and put them here. There's no easy way to change this via the config file at this time.

Note
If you increase the number of bits you need to update defaultRSAKeyBits accordingly.

Definition at line 63 of file make_SSLContext.cpp.

◆ kDefaultCipherList

std::string const xrpl::openssl::detail::kDefaultCipherList = "TLSv1.2:!CBC:!DSS:!PSK:!eNULL:!aNULL"

The default list of ciphers we accept over TLS.

Generally we include cipher suites that are part of TLS v1.2, but we specifically exclude:

  • the DSS cipher suites (!DSS);
  • cipher suites using pre-shared keys (!PSK);
  • cipher suites that don't offer encryption (!eNULL); and
  • cipher suites that don't offer authentication (!aNULL).
Note
Server administrators can override this default list, on either a global or per-port basis, using the ssl_ciphers directive in the config file.

Definition at line 87 of file make_SSLContext.cpp.

Generated by doxygen 1.16.1