generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Change the DEFAULT ciphersuites to exclude DES, RC4 and RC2

Browse Source 
This patch updates the "DEFAULT" cipherstring to be
"ALL:!COMPLEMENTOFDEFAULT:!eNULL". COMPLEMENTOFDEFAULT is now defined
internally by a flag on each ciphersuite indicating whether it should be
excluded from DEFAULT or not. This gives us control at an individual
ciphersuite level as to exactly what is in DEFAULT and what is not.

Finally all DES, RC4 and RC2 ciphersuites are added to COMPLEMENTOFDEFAULT
and hence removed from DEFAULT.

Reviewed-by: Tim Hudson <tjh@openssl.org>
This commit is contained in:
Matt Caswell
2015-09-29 11:14:35 +01:00
parent 8eed3289b2
commit c84f7f4a74
6 changed files with 98 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
doc/apps/ciphers.pod
View File

@@ -117,15 +117,16 @@ The following is a list of all permitted cipher strings and their meanings.
=item B<DEFAULT>
the default cipher list. This is determined at compile time and, as of OpenSSL
1.0.0, is normally B<ALL:!aNULL:!eNULL>. This must be the first cipher string
specified.
the default cipher list. This is determined at compile time and
is B<ALL:!COMPLEMENTOFDEFAULT:!eNULL>. This must be the first cipher
string specified.
=item B<COMPLEMENTOFDEFAULT>
the ciphers included in B<ALL>, but not enabled by default. Currently
this is B<ADH> and B<AECDH>. Note that this rule does not cover B<eNULL>,
which is not included by B<ALL> (use B<COMPLEMENTOFALL> if necessary).
this includes all RC4, DES, RC2 and anonymous ciphers. Note that this rule does
not cover B<eNULL>, which is not included by B<ALL> (use B<COMPLEMENTOFALL> if
necessary).
=item B<ALL>