generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove LOW from the default

Browse Source 
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 29cce508972f61511318bf8cf7011fae027cddb2)
This commit is contained in:
Kurt Roeckx 2016-01-10 13:23:43 +01:00
parent 0199251318
commit 6e7a1f35b7
7 changed files with 67 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@ -4,7 +4,9 @@
Changes between 1.0.1s and 1.0.1t [xx XXX xxxx]
*)
*) Remove LOW from the DEFAULT cipher list. This removes singles DES from the
default.
[Kurt Roeckx]
Changes between 1.0.1r and 1.0.1s [1 Mar 2016]

2
doc/apps/ciphers.pod
View File

@ -107,7 +107,7 @@ The following is a list of all permitted cipher strings and their meanings.
The default cipher list.
This is determined at compile time and is normally
B<ALL:!EXPORT:!aNULL:!eNULL:!SSLv2>.
B<ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2>.
When used, this must be the first cipherstring specified.
=item B<COMPLEMENTOFDEFAULT>

16
ssl/s2_lib.c
View File

@ -150,7 +150,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_RC4,
SSL_MD5,
SSL_SSLV2,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
0,
128,
128,
@ -167,7 +167,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_RC4,
SSL_MD5,
SSL_SSLV2,
SSL_EXPORT | SSL_EXP40,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL2_CF_5_BYTE_ENC,
40,
128,
@ -184,7 +184,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_RC2,
SSL_MD5,
SSL_SSLV2,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
0,
128,
128,
@ -201,7 +201,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_RC2,
SSL_MD5,
SSL_SSLV2,
SSL_EXPORT | SSL_EXP40,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL2_CF_5_BYTE_ENC,
40,
128,
@ -219,7 +219,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_IDEA,
SSL_MD5,
SSL_SSLV2,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
0,
128,
128,
@ -237,7 +237,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_DES,
SSL_MD5,
SSL_SSLV2,
SSL_NOT_EXP | SSL_LOW,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
0,
56,
56,
@ -254,7 +254,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_3DES,
SSL_MD5,
SSL_SSLV2,
SSL_NOT_EXP | SSL_HIGH,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
0,
112,
168,
@ -271,7 +271,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_RC4,
SSL_MD5,
SSL_SSLV2,
SSL_NOT_EXP | SSL_LOW,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL2_CF_8_BYTE_ENC,
64,
64,

88
ssl/s3_lib.c
View File

@ -213,7 +213,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_MD5,
SSL_SSLV3,
SSL_EXPORT | SSL_EXP40,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@ -263,7 +263,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC2,
SSL_MD5,
SSL_SSLV3,
SSL_EXPORT | SSL_EXP40,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@ -299,7 +299,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
SSL_EXPORT | SSL_EXP40,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@ -317,7 +317,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@ -352,7 +352,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
SSL_EXPORT | SSL_EXP40,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@ -370,7 +370,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@ -404,7 +404,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
SSL_EXPORT | SSL_EXP40,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@ -422,7 +422,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@ -457,7 +457,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
SSL_EXPORT | SSL_EXP40,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@ -475,7 +475,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@ -509,7 +509,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
SSL_EXPORT | SSL_EXP40,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@ -527,7 +527,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@ -561,7 +561,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_MD5,
SSL_SSLV3,
SSL_EXPORT | SSL_EXP40,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@ -578,7 +578,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_MD5,
SSL_SSLV3,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@ -595,7 +595,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
SSL_EXPORT | SSL_EXP40,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@ -613,7 +613,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@ -630,7 +630,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@ -700,7 +700,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@ -766,7 +766,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_MD5,
SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@ -832,7 +832,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
SSL_EXPORT | SSL_EXP40,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@ -850,7 +850,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC2,
SSL_SHA1,
SSL_SSLV3,
SSL_EXPORT | SSL_EXP40,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@ -868,7 +868,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL_SSLV3,
SSL_EXPORT | SSL_EXP40,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@ -886,7 +886,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_MD5,
SSL_SSLV3,
SSL_EXPORT | SSL_EXP40,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@ -904,7 +904,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC2,
SSL_MD5,
SSL_SSLV3,
SSL_EXPORT | SSL_EXP40,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@ -922,7 +922,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_MD5,
SSL_SSLV3,
SSL_EXPORT | SSL_EXP40,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@ -1016,7 +1016,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@ -1111,7 +1111,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@ -1307,7 +1307,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@ -1327,7 +1327,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_MD5,
SSL_TLSV1,
SSL_EXPORT | SSL_EXP56,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
128,
@ -1343,7 +1343,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC2,
SSL_MD5,
SSL_TLSV1,
SSL_EXPORT | SSL_EXP56,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
128,
@ -1361,7 +1361,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_TLSV1,
SSL_EXPORT | SSL_EXP56,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@ -1379,7 +1379,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_TLSV1,
SSL_EXPORT | SSL_EXP56,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@ -1397,7 +1397,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL_TLSV1,
SSL_EXPORT | SSL_EXP56,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
128,
@ -1415,7 +1415,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL_TLSV1,
SSL_EXPORT | SSL_EXP56,
SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
128,
@ -1530,7 +1530,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@ -1546,7 +1546,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA256,
SSL_TLSV1_2,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@ -1699,7 +1699,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@ -1865,7 +1865,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_SEED,
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@ -2045,7 +2045,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@ -2061,7 +2061,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@ -2414,7 +2414,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@ -2430,7 +2430,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@ -2446,7 +2446,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@ -2462,7 +2462,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,

2
ssl/ssl.h
View File

@ -334,7 +334,7 @@ extern "C" {
* The following cipher list is used by default. It also is substituted when
* an application-defined cipher list string starts with 'DEFAULT'.
*/
# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
/*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is

16
ssl/ssl_ciph.c
View File

@ -235,8 +235,7 @@ static const SSL_CIPHER cipher_aliases[] = {
* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
* ALL!)
*/
{0, SSL_TXT_CMPDEF, 0, 0, SSL_aNULL, ~SSL_eNULL, 0, ~SSL_SSLV2,
SSL_EXP_MASK, 0, 0, 0},
{0, SSL_TXT_CMPDEF, 0, 0, 0, 0, 0, 0, SSL_NOT_DEFAULT, 0, 0, 0},
/*
* key exchange aliases (some of those using only a single bit here
@ -1000,10 +999,6 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl,
cp->algo_strength);
#endif
if (algo_strength == SSL_EXP_MASK && SSL_C_IS_EXPORT(cp))
goto ok;
if (alg_ssl == ~SSL_SSLV2 && cp->algorithm_ssl == SSL_SSLV2)
goto ok;
if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
continue;
if (alg_auth && !(alg_auth & cp->algorithm_auth))
@ -1020,10 +1015,11 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
if ((algo_strength & SSL_STRONG_MASK)
&& !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
continue;
if ((algo_strength & SSL_NOT_DEFAULT)
&& !(cp->algo_strength & SSL_NOT_DEFAULT))
continue;
}
ok:
#ifdef CIPHER_DEBUG
fprintf(stderr, "Action = %d\n", rule);
#endif
@ -1307,6 +1303,10 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
ca_list[j]->algo_strength & SSL_STRONG_MASK;
}
if (ca_list[j]->algo_strength & SSL_NOT_DEFAULT) {
algo_strength |= SSL_NOT_DEFAULT;
}
if (ca_list[j]->valid) {
/*
* explicit ciphersuite found; its protocol version does not

3
ssl/ssl_locl.h
View File

@ -435,8 +435,9 @@
# define SSL_MEDIUM 0x00000040L
# define SSL_HIGH 0x00000080L
# define SSL_FIPS 0x00000100L
# define SSL_NOT_DEFAULT 0x00000200L
/* we have used 000001ff - 23 bits left to go */
/* we have used 000003ff - 22 bits left to go */
/*-
* Macros to check the export status and cipher strength for export ciphers.