diff options
author | Matt Caswell <matt@openssl.org> | 2015-09-29 11:14:35 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2015-09-30 19:15:06 +0100 |
commit | c84f7f4a7405d69be4227d4766290b0950122b3c (patch) | |
tree | 3ae21ee691960e88e3291d10eef5d9540f70b992 /doc | |
parent | 8eed3289b21d25583ed44742db43a2d727b79643 (diff) |
Change the DEFAULT ciphersuites to exclude DES, RC4 and RC2
This patch updates the "DEFAULT" cipherstring to be
"ALL:!COMPLEMENTOFDEFAULT:!eNULL". COMPLEMENTOFDEFAULT is now defined
internally by a flag on each ciphersuite indicating whether it should be
excluded from DEFAULT or not. This gives us control at an individual
ciphersuite level as to exactly what is in DEFAULT and what is not.
Finally all DES, RC4 and RC2 ciphersuites are added to COMPLEMENTOFDEFAULT
and hence removed from DEFAULT.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/apps/ciphers.pod | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod index 64f122ffed..75982762d3 100644 --- a/doc/apps/ciphers.pod +++ b/doc/apps/ciphers.pod @@ -117,15 +117,16 @@ The following is a list of all permitted cipher strings and their meanings. =item B<DEFAULT> -the default cipher list. This is determined at compile time and, as of OpenSSL -1.0.0, is normally B<ALL:!aNULL:!eNULL>. This must be the first cipher string -specified. +the default cipher list. This is determined at compile time and +is B<ALL:!COMPLEMENTOFDEFAULT:!eNULL>. This must be the first cipher +string specified. =item B<COMPLEMENTOFDEFAULT> the ciphers included in B<ALL>, but not enabled by default. Currently -this is B<ADH> and B<AECDH>. Note that this rule does not cover B<eNULL>, -which is not included by B<ALL> (use B<COMPLEMENTOFALL> if necessary). +this includes all RC4, DES, RC2 and anonymous ciphers. Note that this rule does +not cover B<eNULL>, which is not included by B<ALL> (use B<COMPLEMENTOFALL> if +necessary). =item B<ALL> |