http/tls: Index banned_ciphers by standard cipher name

This alleviates the need for our own standard name to openssl name map for ciphers. Requires a new luaossl release
daurnimator · Aug 3, 2018 · 05f23b1 · 05f23b1
1 parent cd9ff6b
commit 05f23b1
Show file tree

Hide file tree

Showing 6 changed files with 7 additions and 352 deletions.
diff --git a/NEWS b/NEWS
@@ -4,6 +4,7 @@ UNRELEASED
   - Fix incorrect timeout handling in `websocket:receive()`
   - Add workaround to allow being required in openresty (#98)
   - Add http.tls.old_cipher_list (#112)
+  - Change http.tls.banned_ciphers to be indexed by standard cipher name (#116)
 
 
 0.2 - 2017-05-28

diff --git a/README.md b/README.md
@@ -30,7 +30,7 @@ This will automatically install run-time lua dependencies for you.
 ## Dependencies
 
   - [cqueues](http://25thandclement.com/~william/projects/cqueues.html) >= 20161214 (Note: cqueues currently doesn't support Microsoft Windows operating systems)
-  - [luaossl](http://25thandclement.com/~william/projects/luaossl.html) >= 20161208
+  - [luaossl](http://25thandclement.com/~william/projects/luaossl.html) >= 20180803
   - [basexx](https://github.com/aiq/basexx/) >= 0.2.0
   - [lpeg](http://www.inf.puc-rio.br/~roberto/lpeg/lpeg.html)
   - [lpeg_patterns](https://github.com/daurnimator/lpeg_patterns) >= 0.3

diff --git a/doc/modules/http.tls.md b/doc/modules/http.tls.md
@@ -31,9 +31,7 @@ The [Mozilla "Old" cipher list](https://wiki.mozilla.org/Security/Server_Side_TL
 
 ### `banned_ciphers` <!-- --> {#http.tls.banned_ciphers}
 
-A set (table with string keys and values of `true`) of the [ciphers banned in HTTP 2](https://http2.github.io/http2-spec/#BadCipherSuites) where the keys are OpenSSL cipher names.
-
-Ciphers not known by OpenSSL are missing from the set.
+A set (table with string keys and values of `true`) of the [ciphers banned in HTTP 2](https://http2.github.io/http2-spec/#BadCipherSuites) where the keys are standard cipher names.
 
 
 ### `new_client_context()` <!-- --> {#http.tls.new_client_context}

diff --git a/http-scm-0.rockspec b/http-scm-0.rockspec
@@ -16,7 +16,7 @@ dependencies = {
 	"compat53 >= 0.3"; -- Only if lua < 5.3
 	"bit32"; -- Only if lua == 5.1
 	"cqueues >= 20161214";
-	"luaossl >= 20161208";
+	"luaossl >= 20180803";
 	"basexx >= 0.2.0";
 	"lpeg";
 	"lpeg_patterns >= 0.3";

diff --git a/http/h2_connection.lua b/http/h2_connection.lua
@@ -102,8 +102,8 @@ local function new_connection(socket, conn_type, settings)
 	local ssl = socket:checktls()
 	if ssl then
 		local cipher = ssl:getCipherInfo()
-		if h2_banned_ciphers[cipher.name] then
-			h2_error.errors.INADEQUATE_SECURITY("bad cipher: " .. cipher.name)
+		if h2_banned_ciphers[cipher.standard_name] then
+			h2_error.errors.INADEQUATE_SECURITY("bad cipher: " .. cipher.standard_name)
 		end
 	end