Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a

ciphersuite string such as "DEFAULT:RSA" cannot enable authentication-only ciphersuites. Also, change ssl_create_cipher_list() so that it no longer starts with an arbitrary ciphersuite ordering, but instead uses the logic that we previously had in SSL_DEFEAULT_CIPHER_LIST. SSL_DEFAULT_CIPHER_LIST simplifies into just "ALL:!aNULL:!eNULL".
author: Bodo Möller <bodo@openssl.org> 2007-02-19 18:41:41 +0000
committer: Bodo Möller <bodo@openssl.org> 2007-02-19 18:41:41 +0000
commit: 0a05123a6c90390c1290fe3bc119f1daf256b834 (patch)
tree: 34c7ee359825151da85292b0051a11cf9d80db9b /ssl/ssl.h
parent: 2afe316721982828eba29744f59244d443fc27a3 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 0581256d8c..b97b35e9c3 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -315,8 +315,13 @@ extern "C" {
 /* The following cipher list is used by default.
  * It also is substituted when an application-defined cipher list string
  * starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST	"AES:CAMELLIA:ALL:!ADH:!AECDH:+aECDH:+kRSA:+RC4:@STRENGTH"
-/* low priority for ciphersuites w/o forwared secrecy (fixed ECDH, RSA key exchange), and for RC4 */
+#define SSL_DEFAULT_CIPHER_LIST	"ALL:!aNULL:!eNULL"
+/* As of OpenSSL 0.9.9, ssl_create_cipher_list() in ssl/ssl_ciph.c always
+ * starts with a reasonable order, and all we have to do for DEFAULT is
+ * throwing out anonymous and unencrypted ciphersuites!
+ * (The latter are not actually enabled by ALL, but "ALL:RSA" would enable
+ * some of them.)
+ */
 
 /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
 #define SSL_SENT_SHUTDOWN	1
author	Bodo Möller <bodo@openssl.org>	2007-02-19 18:41:41 +0000
committer	Bodo Möller <bodo@openssl.org>	2007-02-19 18:41:41 +0000
commit	0a05123a6c90390c1290fe3bc119f1daf256b834 (patch)
tree	34c7ee359825151da85292b0051a11cf9d80db9b /ssl/ssl.h
parent	2afe316721982828eba29744f59244d443fc27a3 (diff)