1 /*-
2  * SSLsplit - transparent SSL/TLS interception
3  * https://www.roe.ch/SSLsplit
4  *
5  * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions are met:
10  * 1. Redistributions of source code must retain the above copyright notice,
11  *    this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright notice,
13  *    this list of conditions and the following disclaimer in the documentation
14  *    and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS''
17  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  * ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
20  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26  * POSSIBILITY OF SUCH DAMAGE.
27  */
28 
29 #ifndef DEFAULTS_H
30 #define DEFAULTS_H
31 
32 /*
33  * Defaults for convenient tweaking or patching.
34  */
35 
36 /*
37  * User to drop privileges to by default.  This user needs to be allowed to
38  * create outbound TCP connections, and in some configurations, perform DNS
39  * resolution.
40  *
41  * Packagers may want to use a specific service user account instead of
42  * overloading nobody with yet another use case.  Using nobody for source
43  * builds makes sense because chances are high that it exists.  Good practice
44  * is to create a dedicated user for sslsplit.
45  *
46  * Make sure to also patch the manual page if you patch this.
47  */
48 #define DFLT_DROPUSER "nobody"
49 
50 /*
51  * Default file and directory modes for newly created files and directories
52  * created as part of e.g. logging.  The default is to use full permissions
53  * subject to the system's umask, as is the default for system utilities.
54  * Use a more restrictive mode for the PID file.
55  */
56 #define DFLT_DIRMODE  0777
57 #define DFLT_FILEMODE 0666
58 #define DFLT_PIDFMODE 0644
59 
60 /*
61  * Default ciphers spec.
62  * Use 'openssl ciphers -v spec' to see what ciphers are effectively enabled
63  * by a ciphers spec with a given version of OpenSSL.
64  */
65 #define DFLT_CIPHERS "ALL:-aNULL"
66 
67 /*
68  * Default ciphersuites spec.
69  * Use 'openssl ciphers -v spec' to see what ciphersuites are effectively enabled
70  * by a ciphersuites spec with a given version of OpenSSL.
71  * The ciphersuites spec is for TLS 1.3.
72  */
73 #define DFLT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
74 
75 /*
76  * Default elliptic curve for EC cipher suites.
77  */
78 #define DFLT_CURVE "prime256v1"
79 
80 /*
81  * Default leaf key RSA keysize in bits.
82  *
83  * While implementations still generally accepted leaf keys of 1024 bits in
84  * size, we used 1024 for leaf keys.  As implementations are starting to sunset
85  * 1024 bit RSA not only for CA keys, but also for leaf keys, we now use a 2048
86  * bit key size for the leaf cert key in order to maximize interoperability in
87  * default config.
88  *
89  * Users who want a different size, for example 1024 bit RSA for performance,
90  * can always use their own pre-generated leaf key using the -K option instead
91  * of generating one automatically.
92  *
93  * Refer to the following resources on key sizes accepted by different
94  * implementations.  Note that OpenSSL security level restrictions potentially
95  * apply to both sslsplit and all of the clients and servers using OpenSSL.
96  *
97  * OpenSSL:
98  * https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_get_security_level.html
99  * https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_get_security_level.html
100  */
101 #define DFLT_LEAFKEY_RSABITS 2048
102 
103 #endif /* !DEFAULTS_H */
104 
105 /* vim: set noet ft=c: */
106