diff options
author | Bodo Möller <bodo@openssl.org> | 2007-02-19 18:35:45 +0000 |
---|---|---|
committer | Bodo Möller <bodo@openssl.org> | 2007-02-19 18:35:45 +0000 |
commit | 3bd95a14ca76316e64e60c8e3f97a454eeb663bd (patch) | |
tree | 847e2e9a83577232aa900037674aa0c2f1863732 | |
parent | fd31dfae391889a4d8a97620b043bf6ae6379159 (diff) |
Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a
ciphersuite string such as "DEFAULT:RSA" cannot enable
authentication-only ciphersuites.
-rw-r--r-- | CHANGES | 5 | ||||
-rw-r--r-- | ssl/ssl.h | 2 |
2 files changed, 6 insertions, 1 deletions
@@ -4,6 +4,11 @@ Changes between 0.9.7l and 0.9.7m [xx XXX xxxx] + *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that + a ciphersuite string such as "DEFAULT:RSA" cannot enable + authentication-only ciphersuites. + [Bodo Moeller] + *) Since AES128 and AES256 share a single mask bit in the logic of ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a kludge to work properly if AES128 is available and AES256 isn't. @@ -303,7 +303,7 @@ extern "C" { /* The following cipher list is used by default. * It also is substituted when an application-defined cipher list string * starts with 'DEFAULT'. */ -#define SSL_DEFAULT_CIPHER_LIST "ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */ +#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL+RC4:@STRENGTH" /* low priority for RC4 */ /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ #define SSL_SENT_SHUTDOWN 1 |