Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a

ciphersuite string such as "DEFAULT:RSA" cannot enable authentication-only ciphersuites.
author: Bodo Möller <bodo@openssl.org> 2007-02-19 18:35:45 +0000
committer: Bodo Möller <bodo@openssl.org> 2007-02-19 18:35:45 +0000
commit: 3bd95a14ca76316e64e60c8e3f97a454eeb663bd (patch)
tree: 847e2e9a83577232aa900037674aa0c2f1863732
parent: fd31dfae391889a4d8a97620b043bf6ae6379159 (diff)
2 files changed, 6 insertions, 1 deletions
diff --git a/CHANGES b/CHANGES
index 2af9dfad71..e32b08cff4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
 
  Changes between 0.9.7l and 0.9.7m  [xx XXX xxxx]
 
+  *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
+     a ciphersuite string such as "DEFAULT:RSA" cannot enable
+     authentication-only ciphersuites.
+     [Bodo Moeller]
+
   *) Since AES128 and AES256 share a single mask bit in the logic of
      ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
      kludge to work properly if AES128 is available and AES256 isn't.
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 99e188086b..37f8d0171b 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -303,7 +303,7 @@ extern "C" {
 /* The following cipher list is used by default.
  * It also is substituted when an application-defined cipher list string
  * starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST	"ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */
+#define SSL_DEFAULT_CIPHER_LIST	"ALL:!aNULL:!eNULL+RC4:@STRENGTH" /* low priority for RC4 */
 
 /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
 #define SSL_SENT_SHUTDOWN	1
author	Bodo Möller <bodo@openssl.org>	2007-02-19 18:35:45 +0000
committer	Bodo Möller <bodo@openssl.org>	2007-02-19 18:35:45 +0000
commit	3bd95a14ca76316e64e60c8e3f97a454eeb663bd (patch)
tree	847e2e9a83577232aa900037674aa0c2f1863732
parent	fd31dfae391889a4d8a97620b043bf6ae6379159 (diff)