diff options
| -rw-r--r-- | lib/vtls/openssl.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 394ce2e3d..c42143a85 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -154,8 +154,16 @@ static unsigned long OpenSSL_version_num(void) #define OSSL_PACKAGE "OpenSSL" #endif +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) +/* up2date versions of OpenSSL maintain the default reasonably secure without + * breaking compatibility, so it is better not to override the default by curl + */ +#define DEFAULT_CIPHER_SELECTION NULL +#else +/* ... but it is not the case with old versions of OpenSSL */ #define DEFAULT_CIPHER_SELECTION \ "ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH" +#endif struct ssl_backend_data { /* these ones requires specific SSL-types */ @@ -2116,11 +2124,13 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) ciphers = SSL_CONN_CONFIG(cipher_list); if(!ciphers) ciphers = (char *)DEFAULT_CIPHER_SELECTION; - if(!SSL_CTX_set_cipher_list(BACKEND->ctx, ciphers)) { - failf(data, "failed setting cipher list: %s", ciphers); - return CURLE_SSL_CIPHER; + if(ciphers) { + if(!SSL_CTX_set_cipher_list(BACKEND->ctx, ciphers)) { + failf(data, "failed setting cipher list: %s", ciphers); + return CURLE_SSL_CIPHER; + } + infof(data, "Cipher selection: %s\n", ciphers); } - infof(data, "Cipher selection: %s\n", ciphers); #ifdef USE_TLS_SRP if(ssl_authtype == CURL_TLSAUTH_SRP) { |