Index: libcurl_http_fetcher.cc |
diff --git a/libcurl_http_fetcher.cc b/libcurl_http_fetcher.cc |
index 8af9d455bf64386b9f19e85df176cb346e17338e..d5358bd252118b90efa4fd8219192c51d2cf77ca 100644 |
--- a/libcurl_http_fetcher.cc |
+++ b/libcurl_http_fetcher.cc |
@@ -101,20 +101,24 @@ void LibcurlHttpFetcher::ResumeTransfer(const std::string& url) { |
CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_MAXREDIRS, kMaxRedirects), |
CURLE_OK); |
- // Makes sure that peer certificate verification is enabled and restricts the |
- // set of trusted certificates. |
- CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_SSL_VERIFYPEER, 1), CURLE_OK); |
- CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_CAPATH, kCACertificatesPath), |
- CURLE_OK); |
- |
- // Restrict protocols to HTTPS in official builds. |
+ // Security lock-down in official builds: makes sure that peer certificate |
+ // verification is enabled, restricts the set of trusted certificates, |
+ // restricts protocols to HTTPS, restricts ciphers to HIGH. |
if (IsOfficialBuild()) { |
+ CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_SSL_VERIFYPEER, 1), |
+ CURLE_OK); |
+ CHECK_EQ(curl_easy_setopt(curl_handle_, |
+ CURLOPT_CAPATH, |
+ kCACertificatesPath), |
+ CURLE_OK); |
CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS), |
CURLE_OK); |
CHECK_EQ(curl_easy_setopt(curl_handle_, |
CURLOPT_REDIR_PROTOCOLS, |
CURLPROTO_HTTPS), |
CURLE_OK); |
+ CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_SSL_CIPHER_LIST, "HIGH"), |
+ CURLE_OK); |
} |
CHECK_EQ(curl_multi_add_handle(curl_multi_handle_, curl_handle_), CURLM_OK); |