OpenSSL: deselect weak ciphers by default
By default even recent versions of OpenSSL support and accept both "export strength" ciphers, small-bitsize ciphers as well as downright deprecated ones. This change sets a default cipher set that avoids the worst ciphers, and subsequently makes https://www.howsmyssl.com/a/check no longer grade curl/OpenSSL connects as 'Bad'. Bug: http://curl.haxx.se/bug/view.cgi?id=1323 Reported-by: Jeff Hodges
This commit is contained in:
parent
3b183df9cc
commit
3b5c75ef3d
@ -1404,7 +1404,7 @@ ossl_connect_step1(struct connectdata *conn,
|
||||
int sockindex)
|
||||
{
|
||||
CURLcode retcode = CURLE_OK;
|
||||
|
||||
char *ciphers;
|
||||
struct SessionHandle *data = conn->data;
|
||||
SSL_METHOD_QUAL SSL_METHOD *req_method=NULL;
|
||||
void *ssl_sessionid=NULL;
|
||||
@ -1629,12 +1629,12 @@ ossl_connect_step1(struct connectdata *conn,
|
||||
}
|
||||
}
|
||||
|
||||
if(data->set.str[STRING_SSL_CIPHER_LIST]) {
|
||||
if(!SSL_CTX_set_cipher_list(connssl->ctx,
|
||||
data->set.str[STRING_SSL_CIPHER_LIST])) {
|
||||
failf(data, "failed setting cipher list");
|
||||
return CURLE_SSL_CIPHER;
|
||||
}
|
||||
ciphers = data->set.str[STRING_SSL_CIPHER_LIST];
|
||||
if(!ciphers)
|
||||
ciphers = (char *)DEFAULT_CIPHER_SELECTION;
|
||||
if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) {
|
||||
failf(data, "failed setting cipher list: %s", ciphers);
|
||||
return CURLE_SSL_CIPHER;
|
||||
}
|
||||
|
||||
#ifdef USE_TLS_SRP
|
||||
|
@ -7,7 +7,7 @@
|
||||
* | (__| |_| | _ <| |___
|
||||
* \___|\___/|_| \_\_____|
|
||||
*
|
||||
* Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
* Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
*
|
||||
* This software is licensed as described in the file COPYING, which
|
||||
* you should have received as part of this distribution. The terms
|
||||
@ -95,5 +95,7 @@ void Curl_ossl_md5sum(unsigned char *tmp, /* input */
|
||||
#define curlssl_random(x,y,z) Curl_ossl_random(x,y,z)
|
||||
#define curlssl_md5sum(a,b,c,d) Curl_ossl_md5sum(a,b,c,d)
|
||||
|
||||
#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4"
|
||||
|
||||
#endif /* USE_SSLEAY */
|
||||
#endif /* HEADER_CURL_SSLUSE_H */
|
||||
|
Loading…
Reference in New Issue
Block a user