oops -- this should have been in 0.9.8e

CHANGES

@@ -4,15 +4,13 @@
 
  Changes between 0.9.8e and 0.9.8f  [xx XXX xxxx]
 
-  *)
-
- Changes between 0.9.8d and 0.9.8e  [23 Feb 2007]
-
   *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
      a ciphersuite string such as "DEFAULT:RSA" cannot enable
      authentication-only ciphersuites.
      [Bodo Moeller]
 
+ Changes between 0.9.8d and 0.9.8e  [23 Feb 2007]
+
   *) Since AES128 and AES256 (and similarly Camellia128 and
      Camellia256) share a single mask bit in the logic of
      ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a

ssl/ssl.h

@@ -317,9 +317,9 @@ extern "C" {
  * It also is substituted when an application-defined cipher list string
  * starts with 'DEFAULT'. */
 #ifdef OPENSSL_NO_CAMELLIA
-# define SSL_DEFAULT_CIPHER_LIST	"ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */
+# define SSL_DEFAULT_CIPHER_LIST	"ALL:!aNULL:!eNULL:+RC4:@STRENGTH" /* low priority for RC4 */
 #else
-# define SSL_DEFAULT_CIPHER_LIST	"AES:CAMELLIA:ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */
+# define SSL_DEFAULT_CIPHER_LIST	"AES:CAMELLIA:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" /* low priority for RC4 */
 #endif
 
 /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */