generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove export ciphers from the DEFAULT cipher list

Browse Source 
They are moved to the COMPLEMENTOFDEFAULT instead.
This also fixes SSLv2 to be part of COMPLEMENTOFDEFAULT.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit bc2e18a3c8)
This commit is contained in:
Kurt Roeckx
2015-03-04 21:57:52 +01:00
parent 09712fd0e3
commit 71b0bb764c
4 changed files with 13 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
ssl/ssl_ciph.c
View File

@@ -228,8 +228,8 @@ static const SSL_CIPHER cipher_aliases[] = {
* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
* ALL!)
*/
{0, SSL_TXT_CMPDEF, 0, SSL_kEDH | SSL_kEECDH, SSL_aNULL, ~SSL_eNULL, 0, 0,
0, 0, 0, 0},
{0, SSL_TXT_CMPDEF, 0, 0, SSL_aNULL, ~SSL_eNULL, 0, ~SSL_SSLV2,
SSL_EXP_MASK, 0, 0, 0},
/*
* key exchange aliases (some of those using only a single bit here
@@ -916,7 +916,10 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl,
cp->algo_strength);
#endif
if (algo_strength == SSL_EXP_MASK && SSL_C_IS_EXPORT(cp))
goto ok;
if (alg_ssl == ~SSL_SSLV2 && cp->algorithm_ssl == SSL_SSLV2)
goto ok;
if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
continue;
if (alg_auth && !(alg_auth & cp->algorithm_auth))
@@ -935,6 +938,8 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
continue;
}
ok:
#ifdef CIPHER_DEBUG
printf("Action = %d\n", rule);
#endif