diff options
| author | Kurt Roeckx <kurt@roeckx.be> | 2015-03-04 21:57:52 +0100 |
|---|---|---|
| committer | Kurt Roeckx <kurt@roeckx.be> | 2015-03-07 23:08:12 +0100 |
| commit | bc2e18a3c818ae7e2d8c996b6648aa4ae8e3ee28 (patch) | |
| tree | a6282d6cdc4a87da233b5986849a9f33d672de6d | |
| parent | 0440d4ebe41d523d57acc841c483375df0e3e75f (diff) | |
| download | openssl-new-bc2e18a3c818ae7e2d8c996b6648aa4ae8e3ee28.tar.gz | |
Remove export ciphers from the DEFAULT cipher list
They are moved to the COMPLEMENTOFDEFAULT instead.
This also fixes SSLv2 to be part of COMPLEMENTOFDEFAULT.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f417997a324037025be61737288e40e171a8218c)
Conflicts:
ssl/ssl_ciph.c
| -rw-r--r-- | CHANGES | 3 | ||||
| -rw-r--r-- | doc/apps/ciphers.pod | 4 | ||||
| -rw-r--r-- | ssl/ssl.h | 2 | ||||
| -rw-r--r-- | ssl/ssl_ciph.c | 11 |
4 files changed, 13 insertions, 7 deletions
@@ -4,7 +4,8 @@ Changes between 1.0.1l and 1.0.1m [xx XXX xxxx] - *) + *) Removed the export ciphers from the DEFAULT ciphers + [Kurt Roeckx] Changes between 1.0.1k and 1.0.1l [15 Jan 2015] diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod index 6086d0a715..0aa1bad111 100644 --- a/doc/apps/ciphers.pod +++ b/doc/apps/ciphers.pod @@ -109,8 +109,8 @@ The following is a list of all permitted cipher strings and their meanings. =item B<DEFAULT> -the default cipher list. This is determined at compile time and, as of OpenSSL -1.0.0, is normally B<ALL:!aNULL:!eNULL>. This must be the first cipher string +the default cipher list. This is determined at compile time and +is normally B<ALL:!EXPORT:!aNULL:!eNULL:!SSLv2>. This must be the firstcipher string specified. =item B<COMPLEMENTOFDEFAULT> @@ -334,7 +334,7 @@ extern "C" { * The following cipher list is used by default. It also is substituted when * an application-defined cipher list string starts with 'DEFAULT'. */ -# define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2" +# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2" /* * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always * starts with a reasonable order, and all we have to do for DEFAULT is diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 51a4a04a23..cac525e860 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -235,8 +235,8 @@ static const SSL_CIPHER cipher_aliases[] = { * "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in * ALL!) */ - {0, SSL_TXT_CMPDEF, 0, SSL_kEDH | SSL_kEECDH, SSL_aNULL, ~SSL_eNULL, 0, 0, - 0, 0, 0, 0}, + {0, SSL_TXT_CMPDEF, 0, 0, SSL_aNULL, ~SSL_eNULL, 0, ~SSL_SSLV2, + SSL_EXP_MASK, 0, 0, 0}, /* * key exchange aliases (some of those using only a single bit here @@ -997,7 +997,10 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength); #endif - + if (algo_strength == SSL_EXP_MASK && SSL_C_IS_EXPORT(cp)) + goto ok; + if (alg_ssl == ~SSL_SSLV2 && cp->algorithm_ssl == SSL_SSLV2) + goto ok; if (alg_mkey && !(alg_mkey & cp->algorithm_mkey)) continue; if (alg_auth && !(alg_auth & cp->algorithm_auth)) @@ -1016,6 +1019,8 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, continue; } + ok: + #ifdef CIPHER_DEBUG fprintf(stderr, "Action = %d\n", rule); #endif |