From 368a1465ec3345c71d6d4edca03f4f9b038f571c Mon Sep 17 00:00:00 2001
From: Jfreegman <jfreegman@gmail.com>
Date: Thu, 29 Oct 2015 15:13:42 -0400
Subject: [PATCH] Use a specified TLS cipher list for https name lookups

---
 README.md         |  1 -
 src/name_lookup.c | 15 ++++++++++++---
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index a735f69..da5d8b5 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,3 @@
-# Toxic [![Build Status](https://travis-ci.org/JFreegman/toxic.png?branch=master)](https://travis-ci.org/JFreegman/toxic)
 Toxic is a [Tox](https://tox.chat)-based instant messenging client which formerly resided in the [Tox core repository](https://github.com/irungentoo/toxcore), and is now available as a standalone application.
 
 [![Toxic Screenshot](https://i.imgur.com/san99Z2.png "Home Screen")](https://i.imgur.com/san99Z2.png)
diff --git a/src/name_lookup.c b/src/name_lookup.c
index 5fdd21a..9de8ac2 100644
--- a/src/name_lookup.c
+++ b/src/name_lookup.c
@@ -41,6 +41,9 @@ extern struct Winthread Winthread;;
 #define MAX_DOMAIN_SIZE 32
 #define MAX_SERVER_LINE MAX_DOMAIN_SIZE + (SERVER_KEY_SIZE * 2) + 3
 
+/* List based on Mozilla's recommended configurations for modern browsers */
+#define TLS_CIPHER_SUITE_LIST "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"
+
 struct Nameservers {
     int     lines;
     char    names[MAX_SERVERS][MAX_DOMAIN_SIZE];
@@ -282,8 +285,9 @@ void *lookup_thread_func(void *data)
     curl_easy_setopt(c_handle, CURLOPT_USERAGENT, "libcurl-agent/1.0");
     curl_easy_setopt(c_handle, CURLOPT_POSTFIELDS, post_data);
 
+
     if (curl_easy_setopt(c_handle, CURLOPT_USE_SSL, CURLUSESSL_ALL) != CURLE_OK) {
-        lookup_error(self, "Failed to enable TLS.");
+        lookup_error(self, "TLS could not be enabled.");
         goto on_exit;
     }
 
@@ -292,13 +296,18 @@ void *lookup_thread_func(void *data)
         goto on_exit;
     }
 
+    if (curl_easy_setopt(c_handle, CURLOPT_SSL_CIPHER_LIST, TLS_CIPHER_SUITE_LIST) != CURLE_OK) {
+        lookup_error(self, "Failed to set TLS cipher list.");
+        goto on_exit;
+    }
+
     if (curl_easy_perform(c_handle) != CURLE_OK) {
-        lookup_error(self, "curl lookup error.");
+        lookup_error(self, "https lookup error.");
         goto on_exit;
     }
 
     if (process_response(&recv_data) == -1) {
-        lookup_error(self, "parsing error.");
+        lookup_error(self, "Name lookup failed.");
         goto on_exit;
     }