generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove export ciphers from the DEFAULT cipher list

Browse Source 
They are moved to the COMPLEMENTOFDEFAULT instead.
This also fixes SSLv2 to be part of COMPLEMENTOFDEFAULT.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit bc2e18a3c818ae7e2d8c996b6648aa4ae8e3ee28)
This commit is contained in:
Kurt Roeckx 2015-03-04 21:57:52 +01:00
parent 09712fd0e3
commit 71b0bb764c
4 changed files with 13 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@ -4,7 +4,8 @@
Changes between 1.0.0q and 1.0.0r [xx XXX xxxx] Changes between 1.0.0q and 1.0.0r [xx XXX xxxx]
*) *) Removed the export ciphers from the DEFAULT ciphers
[Kurt Roeckx]
Changes between 1.0.0p and 1.0.0q [15 Jan 2015] Changes between 1.0.0p and 1.0.0q [15 Jan 2015]

4
doc/apps/ciphers.pod
View File

@ -109,8 +109,8 @@ The following is a list of all permitted cipher strings and their meanings.
=item B<DEFAULT> =item B<DEFAULT>
the default cipher list. This is determined at compile time and, as of OpenSSL the default cipher list. This is determined at compile time and
1.0.0, is normally B<ALL:!aNULL:!eNULL>. This must be the first cipher string is normally B<ALL:!EXPORT:!aNULL:!eNULL:!SSLv2>. This must be the firstcipher string
specified. specified.
=item B<COMPLEMENTOFDEFAULT> =item B<COMPLEMENTOFDEFAULT>

2
ssl/ssl.h
View File

@ -326,7 +326,7 @@ extern "C" {
* The following cipher list is used by default. It also is substituted when * The following cipher list is used by default. It also is substituted when
* an application-defined cipher list string starts with 'DEFAULT'. * an application-defined cipher list string starts with 'DEFAULT'.
*/ */
# define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2" # define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
/* /*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is * starts with a reasonable order, and all we have to do for DEFAULT is

11
ssl/ssl_ciph.c
View File

@ -228,8 +228,8 @@ static const SSL_CIPHER cipher_aliases[] = {
* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in * "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
* ALL!) * ALL!)
*/ */
{0, SSL_TXT_CMPDEF, 0, SSL_kEDH | SSL_kEECDH, SSL_aNULL, ~SSL_eNULL, 0, 0, {0, SSL_TXT_CMPDEF, 0, 0, SSL_aNULL, ~SSL_eNULL, 0, ~SSL_SSLV2,
0, 0, 0, 0}, SSL_EXP_MASK, 0, 0, 0},
/* /*
* key exchange aliases (some of those using only a single bit here * key exchange aliases (some of those using only a single bit here
@ -916,7 +916,10 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl,
cp->algo_strength); cp->algo_strength);
#endif #endif
if (algo_strength == SSL_EXP_MASK && SSL_C_IS_EXPORT(cp))
goto ok;
if (alg_ssl == ~SSL_SSLV2 && cp->algorithm_ssl == SSL_SSLV2)
goto ok;
if (alg_mkey && !(alg_mkey & cp->algorithm_mkey)) if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
continue; continue;
if (alg_auth && !(alg_auth & cp->algorithm_auth)) if (alg_auth && !(alg_auth & cp->algorithm_auth))
@ -935,6 +938,8 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
continue; continue;
} }
ok:
#ifdef CIPHER_DEBUG #ifdef CIPHER_DEBUG
printf("Action = %d\n", rule); printf("Action = %d\n", rule);
#endif #endif