From 7f7637c9b8d3dbb348c0f049b587fc5f10296356 Mon Sep 17 00:00:00 2001
From: "Alexander A. Klimov" <alexander.klimov@icinga.com>
Date: Fri, 16 Jul 2021 18:32:26 +0200
Subject: [PATCH] Introduce DEFAULT_TLS_CIPHERS and DEFAULT_TLS_PROTOCOLMIN

---
 lib/base/tlsutility.hpp   | 4 ++++
 lib/remote/apilistener.ti | 5 +++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/lib/base/tlsutility.hpp b/lib/base/tlsutility.hpp
index ce50fb427..0bc1a8332 100644
--- a/lib/base/tlsutility.hpp
+++ b/lib/base/tlsutility.hpp
@@ -25,6 +25,10 @@
 namespace icinga
 {
 
+const char * const DEFAULT_TLS_CIPHERS = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:AES128-GCM-SHA256";
+
+const char * const DEFAULT_TLS_PROTOCOLMIN = "TLSv1.2";
+
 void InitializeOpenSSL();
 
 String GetOpenSSLVersion();
diff --git a/lib/remote/apilistener.ti b/lib/remote/apilistener.ti
index fa0ad395b..d62402b6e 100644
--- a/lib/remote/apilistener.ti
+++ b/lib/remote/apilistener.ti
@@ -3,6 +3,7 @@
 #include "remote/i2-remote.hpp"
 #include "base/configobject.hpp"
 #include "base/application.hpp"
+#include "base/tlsutility.hpp"
 
 library remote;
 
@@ -18,10 +19,10 @@ class ApiListener : ConfigObject
 	[config, deprecated] String ca_path;
 	[config] String crl_path;
 	[config] String cipher_list {
-		default {{{ return "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:AES128-GCM-SHA256"; }}}
+		default {{{ return DEFAULT_TLS_CIPHERS; }}}
 	};
 	[config] String tls_protocolmin {
-		default {{{ return "TLSv1.2"; }}}
+		default {{{ return DEFAULT_TLS_PROTOCOLMIN; }}}
 	};
 
 	[config] String bind_host {