diff options
author | Bodo Möller <bodo@openssl.org> | 2007-02-19 18:41:41 +0000 |
---|---|---|
committer | Bodo Möller <bodo@openssl.org> | 2007-02-19 18:41:41 +0000 |
commit | 0a05123a6c90390c1290fe3bc119f1daf256b834 (patch) | |
tree | 34c7ee359825151da85292b0051a11cf9d80db9b /ssl/ssl.h | |
parent | 2afe316721982828eba29744f59244d443fc27a3 (diff) |
Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a
ciphersuite string such as "DEFAULT:RSA" cannot enable
authentication-only ciphersuites.
Also, change ssl_create_cipher_list() so that it no longer
starts with an arbitrary ciphersuite ordering, but instead
uses the logic that we previously had in SSL_DEFEAULT_CIPHER_LIST.
SSL_DEFAULT_CIPHER_LIST simplifies into just "ALL:!aNULL:!eNULL".
Diffstat (limited to 'ssl/ssl.h')
-rw-r--r-- | ssl/ssl.h | 9 |
1 files changed, 7 insertions, 2 deletions
@@ -315,8 +315,13 @@ extern "C" { /* The following cipher list is used by default. * It also is substituted when an application-defined cipher list string * starts with 'DEFAULT'. */ -#define SSL_DEFAULT_CIPHER_LIST "AES:CAMELLIA:ALL:!ADH:!AECDH:+aECDH:+kRSA:+RC4:@STRENGTH" -/* low priority for ciphersuites w/o forwared secrecy (fixed ECDH, RSA key exchange), and for RC4 */ +#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL" +/* As of OpenSSL 0.9.9, ssl_create_cipher_list() in ssl/ssl_ciph.c always + * starts with a reasonable order, and all we have to do for DEFAULT is + * throwing out anonymous and unencrypted ciphersuites! + * (The latter are not actually enabled by ALL, but "ALL:RSA" would enable + * some of them.) + */ /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ #define SSL_SENT_SHUTDOWN 1 |