New cipher selection options COMPLEMENTOFALL and COMPLEMENTOFDEFAULT.
Submitted by: Reviewed by: PR: 127
This commit is contained in:
parent
1649d85d10
commit
c6ccf055ba
5
CHANGES
5
CHANGES
@ -101,6 +101,11 @@
|
|||||||
|
|
||||||
Changes between 0.9.6e and 0.9.7 [XX xxx 2002]
|
Changes between 0.9.6e and 0.9.7 [XX xxx 2002]
|
||||||
|
|
||||||
|
*) Add cipher selection rules COMPLEMENTOFALL and COMPLENENTOFDEFAULT
|
||||||
|
to allow version independent disabling of normally unselected ciphers,
|
||||||
|
which may be activated as a side-effect of selecting a single cipher.
|
||||||
|
[Lutz Jaenicke, Bodo Moeller]
|
||||||
|
|
||||||
*) Add appropriate support for separate platform-dependent build
|
*) Add appropriate support for separate platform-dependent build
|
||||||
directories. The recommended way to make a platform-dependent
|
directories. The recommended way to make a platform-dependent
|
||||||
build directory is the following (tested on Linux), maybe with
|
build directory is the following (tested on Linux), maybe with
|
||||||
|
@ -108,10 +108,20 @@ the default cipher list. This is determined at compile time and is normally
|
|||||||
B<ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH>. This must be the first cipher string
|
B<ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH>. This must be the first cipher string
|
||||||
specified.
|
specified.
|
||||||
|
|
||||||
|
=item B<COMPLEMENTOFDEFAULT>
|
||||||
|
|
||||||
|
the ciphers not enabled by default, currently being B<ADH>. This rule does not
|
||||||
|
cover B<eNULL>, which is not included by B<ALL> and is therefore be handled by
|
||||||
|
B<COMPLENETOFALL>.
|
||||||
|
|
||||||
=item B<ALL>
|
=item B<ALL>
|
||||||
|
|
||||||
all ciphers suites except the B<eNULL> ciphers which must be explicitly enabled.
|
all ciphers suites except the B<eNULL> ciphers which must be explicitly enabled.
|
||||||
|
|
||||||
|
=item B<COMPLEMENTOFALL>
|
||||||
|
|
||||||
|
the cipher suites not enabled by B<ALL>, currently being B<eNULL>.
|
||||||
|
|
||||||
=item B<HIGH>
|
=item B<HIGH>
|
||||||
|
|
||||||
"high" encryption cipher suites. This currently means those with key lengths larger
|
"high" encryption cipher suites. This currently means those with key lengths larger
|
||||||
@ -339,8 +349,22 @@ Include only 3DES ciphers and then place RSA ciphers last:
|
|||||||
|
|
||||||
openssl ciphers -v '3DES:+RSA'
|
openssl ciphers -v '3DES:+RSA'
|
||||||
|
|
||||||
|
Include all RC4 ciphers but leave out those without authentication:
|
||||||
|
|
||||||
|
openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT'
|
||||||
|
|
||||||
|
Include all chiphers with RSA authentication but leave out ciphers without
|
||||||
|
encryption.
|
||||||
|
|
||||||
|
openssl ciphers -v 'RSA:!COMPLEMENTOFALL'
|
||||||
|
|
||||||
=head1 SEE ALSO
|
=head1 SEE ALSO
|
||||||
|
|
||||||
L<s_client(1)|s_client(1)>, L<s_server(1)|s_server(1)>, L<ssl(3)|ssl(3)>
|
L<s_client(1)|s_client(1)>, L<s_server(1)|s_server(1)>, L<ssl(3)|ssl(3)>
|
||||||
|
|
||||||
|
=head1 HISTORY
|
||||||
|
|
||||||
|
The B<COMPLENTOFALL> and B<COMPLEMENTOFDEFAULT> selection options were
|
||||||
|
added in version 0.9.7.
|
||||||
|
|
||||||
=cut
|
=cut
|
||||||
|
17
ssl/ssl.h
17
ssl/ssl.h
@ -266,6 +266,23 @@ extern "C" {
|
|||||||
#define SSL_TXT_TLSV1 "TLSv1"
|
#define SSL_TXT_TLSV1 "TLSv1"
|
||||||
#define SSL_TXT_ALL "ALL"
|
#define SSL_TXT_ALL "ALL"
|
||||||
|
|
||||||
|
/*
|
||||||
|
* COMPLEMENTOF* definitions. These identifiers are used to (de-select)
|
||||||
|
* ciphers normally not being used.
|
||||||
|
* Example: "RC4" will activate all ciphers using RC4 including ciphers
|
||||||
|
* without authentication, which would normally disabled by DEFAULT (due
|
||||||
|
* the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT"
|
||||||
|
* will make sure that it is also disabled in the specific selection.
|
||||||
|
* COMPLEMENTOF* identifiers are portable between version, as adjustments
|
||||||
|
* to the default cipher setup will also be included here.
|
||||||
|
*
|
||||||
|
* COMPLEMENTOFDEFAULT does not experience the same special treatment that
|
||||||
|
* DEFAULT gets, as only selection is being done and no sorting as needed
|
||||||
|
* for DEFAULT.
|
||||||
|
*/
|
||||||
|
#define SSL_TXT_CMPALL "COMPLEMENTOFALL"
|
||||||
|
#define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT"
|
||||||
|
|
||||||
/* The following cipher list is used by default.
|
/* The following cipher list is used by default.
|
||||||
* It also is substituted when an application-defined cipher list string
|
* It also is substituted when an application-defined cipher list string
|
||||||
* starts with 'DEFAULT'. */
|
* starts with 'DEFAULT'. */
|
||||||
|
@ -102,6 +102,8 @@ typedef struct cipher_order_st
|
|||||||
static const SSL_CIPHER cipher_aliases[]={
|
static const SSL_CIPHER cipher_aliases[]={
|
||||||
/* Don't include eNULL unless specifically enabled. */
|
/* Don't include eNULL unless specifically enabled. */
|
||||||
{0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
|
{0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
|
||||||
|
{0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, /* COMPLEMENT OF ALL */
|
||||||
|
{0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0},
|
||||||
{0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */
|
{0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */
|
||||||
{0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0},
|
{0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0},
|
||||||
{0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0},
|
{0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0},
|
||||||
|
Loading…
Reference in New Issue
Block a user