X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=src%2Ftlsproxy.h;h=4664428fe862be1f5ce02bde348399b037667b8d;hb=c3bbe13023ec0021a18f99d6e9b643d84a3505cb;hp=fae7d60dec4dbfd0647b2ad5017abbf17a1ee8ad;hpb=9f7ef8fa5c5216ac2510d2b4acb3b1b5c26886d1;p=tlsproxy%2Ftlsproxy.git

diff --git a/src/tlsproxy.h b/src/tlsproxy.h
index fae7d60..4664428 100644
--- a/src/tlsproxy.h
+++ b/src/tlsproxy.h
@@ -51,7 +51,16 @@
 #define STORED_SERVER_CERT_FILE_FORMAT "./certificate-%s-server.pem"
 
 /* GnuTLS priority string used for both server and client connections. */
-#define PROXY_TLS_PRIORITIES "NORMAL"
+#define PROXY_TLS_PRIORITIES \
+    /* Don't use known insecure algorithms. */ \
+    "SECURE" \
+    /* Lower priority of SHA-1, user better hashes if possible. */ \
+    ":-SHA1:+SHA1" \
+    /* Force safe renegotiations. Shouldn't cause any problems as this \
+     * option only affects the server side (with GnuTLS defaults) and the \
+     * local clients most-likely already support safe renegotiations (old \
+     * servers are therefore not an issue). */ \
+    ":%SAFE_RENEGOTIATION"
 
 
 /* Proxy hostname and port if specified on the command line. */