generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove export ciphers from the DEFAULT cipher list

Browse Source 
They are moved to the COMPLEMENTOFDEFAULT instead.
This also fixes SSLv2 to be part of COMPLEMENTOFDEFAULT.

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Kurt Roeckx
2015-03-04 21:57:52 +01:00
parent 6ee3997134
commit f417997a32
4 changed files with 13 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
ssl/ssl_ciph.c
View File

@@ -235,8 +235,8 @@ static const SSL_CIPHER cipher_aliases[] = {
* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
* ALL!)
*/
{0, SSL_TXT_CMPDEF, 0, SSL_kEDH | SSL_kEECDH, SSL_aNULL, ~SSL_eNULL, 0, 0,
0, 0, 0, 0},
{0, SSL_TXT_CMPDEF, 0, 0, SSL_aNULL, ~SSL_eNULL, 0, ~SSL_SSLV2,
SSL_EXP_MASK, 0, 0, 0},
/*
* key exchange aliases (some of those using only a single bit here
@@ -1027,6 +1027,10 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
if (cipher_id && cipher_id != cp->id)
continue;
#endif
if (algo_strength == SSL_EXP_MASK && SSL_C_IS_EXPORT(cp))
goto ok;
if (alg_ssl == ~SSL_SSLV2 && cp->algorithm_ssl == SSL_SSLV2)
goto ok;
if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
continue;
if (alg_auth && !(alg_auth & cp->algorithm_auth))
@@ -1045,6 +1049,8 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
continue;
}
ok:
#ifdef CIPHER_DEBUG
fprintf(stderr, "Action = %d\n", rule);
#endif