generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove LOW from the default

Browse Source 
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 29cce508972f61511318bf8cf7011fae027cddb2)
This commit is contained in:
Kurt Roeckx 2016-01-10 13:23:43 +01:00
parent 0199251318
commit 6e7a1f35b7
7 changed files with 67 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@ -4,7 +4,9 @@
Changes between 1.0.1s and 1.0.1t [xx XXX xxxx] Changes between 1.0.1s and 1.0.1t [xx XXX xxxx]
*) *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the
default.
[Kurt Roeckx]
Changes between 1.0.1r and 1.0.1s [1 Mar 2016] Changes between 1.0.1r and 1.0.1s [1 Mar 2016]

2
doc/apps/ciphers.pod
View File

@ -107,7 +107,7 @@ The following is a list of all permitted cipher strings and their meanings.
The default cipher list. The default cipher list.
This is determined at compile time and is normally This is determined at compile time and is normally
B<ALL:!EXPORT:!aNULL:!eNULL:!SSLv2>. B<ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2>.
When used, this must be the first cipherstring specified. When used, this must be the first cipherstring specified.
=item B<COMPLEMENTOFDEFAULT> =item B<COMPLEMENTOFDEFAULT>

16
ssl/s2_lib.c
View File

@ -150,7 +150,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_MD5, SSL_MD5,
SSL_SSLV2, SSL_SSLV2,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
0, 0,
128, 128,
128, 128,
@ -167,7 +167,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_MD5, SSL_MD5,
SSL_SSLV2, SSL_SSLV2,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL2_CF_5_BYTE_ENC, SSL2_CF_5_BYTE_ENC,
40, 40,
128, 128,
@ -184,7 +184,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_RC2, SSL_RC2,
SSL_MD5, SSL_MD5,
SSL_SSLV2, SSL_SSLV2,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
0, 0,
128, 128,
128, 128,
@ -201,7 +201,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_RC2, SSL_RC2,
SSL_MD5, SSL_MD5,
SSL_SSLV2, SSL_SSLV2,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL2_CF_5_BYTE_ENC, SSL2_CF_5_BYTE_ENC,
40, 40,
128, 128,
@ -219,7 +219,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_IDEA, SSL_IDEA,
SSL_MD5, SSL_MD5,
SSL_SSLV2, SSL_SSLV2,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
0, 0,
128, 128,
128, 128,
@ -237,7 +237,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_DES, SSL_DES,
SSL_MD5, SSL_MD5,
SSL_SSLV2, SSL_SSLV2,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
0, 0,
56, 56,
56, 56,
@ -254,7 +254,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_3DES, SSL_3DES,
SSL_MD5, SSL_MD5,
SSL_SSLV2, SSL_SSLV2,
SSL_NOT_EXP | SSL_HIGH, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
0, 0,
112, 112,
168, 168,
@ -271,7 +271,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_MD5, SSL_MD5,
SSL_SSLV2, SSL_SSLV2,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL2_CF_8_BYTE_ENC, SSL2_CF_8_BYTE_ENC,
64, 64,
64, 64,

88
ssl/s3_lib.c
View File

@ -213,7 +213,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
128, 128,
@ -263,7 +263,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC2, SSL_RC2,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
128, 128,
@ -299,7 +299,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
56, 56,
@ -317,7 +317,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -352,7 +352,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
56, 56,
@ -370,7 +370,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -404,7 +404,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
56, 56,
@ -422,7 +422,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -457,7 +457,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
56, 56,
@ -475,7 +475,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -509,7 +509,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
56, 56,
@ -527,7 +527,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -561,7 +561,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
128, 128,
@ -578,7 +578,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -595,7 +595,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
128, 128,
@ -613,7 +613,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -630,7 +630,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES, SSL_3DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112, 112,
168, 168,
@ -700,7 +700,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -766,7 +766,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -832,7 +832,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
56, 56,
@ -850,7 +850,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC2, SSL_RC2,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
128, 128,
@ -868,7 +868,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
128, 128,
@ -886,7 +886,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
56, 56,
@ -904,7 +904,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC2, SSL_RC2,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
128, 128,
@ -922,7 +922,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
128, 128,
@ -1016,7 +1016,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128, SSL_AES128,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -1111,7 +1111,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256, SSL_AES256,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256, 256,
256, 256,
@ -1307,7 +1307,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128, SSL_CAMELLIA128,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -1327,7 +1327,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_MD5, SSL_MD5,
SSL_TLSV1, SSL_TLSV1,
SSL_EXPORT | SSL_EXP56, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
128, 128,
@ -1343,7 +1343,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC2, SSL_RC2,
SSL_MD5, SSL_MD5,
SSL_TLSV1, SSL_TLSV1,
SSL_EXPORT | SSL_EXP56, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
128, 128,
@ -1361,7 +1361,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_EXPORT | SSL_EXP56, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -1379,7 +1379,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_EXPORT | SSL_EXP56, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -1397,7 +1397,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_EXPORT | SSL_EXP56, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
128, 128,
@ -1415,7 +1415,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_EXPORT | SSL_EXP56, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
128, 128,
@ -1530,7 +1530,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128, SSL_AES128,
SSL_SHA256, SSL_SHA256,
SSL_TLSV1_2, SSL_TLSV1_2,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -1546,7 +1546,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256, SSL_AES256,
SSL_SHA256, SSL_SHA256,
SSL_TLSV1_2, SSL_TLSV1_2,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256, 256,
256, 256,
@ -1699,7 +1699,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256, SSL_CAMELLIA256,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256, 256,
256, 256,
@ -1865,7 +1865,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_SEED, SSL_SEED,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -2045,7 +2045,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128GCM, SSL_AES128GCM,
SSL_AEAD, SSL_AEAD,
SSL_TLSV1_2, SSL_TLSV1_2,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128, 128,
128, 128,
@ -2061,7 +2061,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256GCM, SSL_AES256GCM,
SSL_AEAD, SSL_AEAD,
SSL_TLSV1_2, SSL_TLSV1_2,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256, 256,
256, 256,
@ -2414,7 +2414,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -2430,7 +2430,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES, SSL_3DES,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112, 112,
168, 168,
@ -2446,7 +2446,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128, SSL_AES128,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -2462,7 +2462,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256, SSL_AES256,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256, 256,
256, 256,

2
ssl/ssl.h
View File

@ -334,7 +334,7 @@ extern "C" {
* The following cipher list is used by default. It also is substituted when * The following cipher list is used by default. It also is substituted when
* an application-defined cipher list string starts with 'DEFAULT'. * an application-defined cipher list string starts with 'DEFAULT'.
*/ */
# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2" # define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
/* /*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is * starts with a reasonable order, and all we have to do for DEFAULT is

16
ssl/ssl_ciph.c
View File

@ -235,8 +235,7 @@ static const SSL_CIPHER cipher_aliases[] = {
* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in * "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
* ALL!) * ALL!)
*/ */
{0, SSL_TXT_CMPDEF, 0, 0, SSL_aNULL, ~SSL_eNULL, 0, ~SSL_SSLV2, {0, SSL_TXT_CMPDEF, 0, 0, 0, 0, 0, 0, SSL_NOT_DEFAULT, 0, 0, 0},
SSL_EXP_MASK, 0, 0, 0},
/* /*
* key exchange aliases (some of those using only a single bit here * key exchange aliases (some of those using only a single bit here
@ -1000,10 +999,6 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl,
cp->algo_strength); cp->algo_strength);
#endif #endif
if (algo_strength == SSL_EXP_MASK && SSL_C_IS_EXPORT(cp))
goto ok;
if (alg_ssl == ~SSL_SSLV2 && cp->algorithm_ssl == SSL_SSLV2)
goto ok;
if (alg_mkey && !(alg_mkey & cp->algorithm_mkey)) if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
continue; continue;
if (alg_auth && !(alg_auth & cp->algorithm_auth)) if (alg_auth && !(alg_auth & cp->algorithm_auth))
@ -1020,10 +1015,11 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
if ((algo_strength & SSL_STRONG_MASK) if ((algo_strength & SSL_STRONG_MASK)
&& !(algo_strength & SSL_STRONG_MASK & cp->algo_strength)) && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
continue; continue;
if ((algo_strength & SSL_NOT_DEFAULT)
&& !(cp->algo_strength & SSL_NOT_DEFAULT))
continue;
} }
ok:
#ifdef CIPHER_DEBUG #ifdef CIPHER_DEBUG
fprintf(stderr, "Action = %d\n", rule); fprintf(stderr, "Action = %d\n", rule);
#endif #endif
@ -1307,6 +1303,10 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
ca_list[j]->algo_strength & SSL_STRONG_MASK; ca_list[j]->algo_strength & SSL_STRONG_MASK;
} }
if (ca_list[j]->algo_strength & SSL_NOT_DEFAULT) {
algo_strength |= SSL_NOT_DEFAULT;
}
if (ca_list[j]->valid) { if (ca_list[j]->valid) {
/* /*
* explicit ciphersuite found; its protocol version does not * explicit ciphersuite found; its protocol version does not

3
ssl/ssl_locl.h
View File

@ -435,8 +435,9 @@
# define SSL_MEDIUM 0x00000040L # define SSL_MEDIUM 0x00000040L
# define SSL_HIGH 0x00000080L # define SSL_HIGH 0x00000080L
# define SSL_FIPS 0x00000100L # define SSL_FIPS 0x00000100L
# define SSL_NOT_DEFAULT 0x00000200L
/* we have used 000001ff - 23 bits left to go */ /* we have used 000003ff - 22 bits left to go */
/*- /*-
* Macros to check the export status and cipher strength for export ciphers. * Macros to check the export status and cipher strength for export ciphers.