diff options
author | Todd Short <tshort@akamai.com> | 2019-04-05 10:03:29 -0400 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2019-06-11 09:44:26 +0100 |
commit | 5d120511679ed69669e29b374a3bab1c50ff5134 (patch) | |
tree | d3ba2fbe02170e3dee4825852549148bb6937951 /ssl/ssl_ciph.c | |
parent | 3f91ede9aea70774d9b5d509bc76d484ebaff6aa (diff) |
Change cipher default strings to a function
Making the default cipher strings a function gives the library more
control over the defaults. Potentially allowing a change in the
future as ciphers become deprecated or dangerous.
Also allows third party distributors to change the defaults for their
installations.
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8686)
Diffstat (limited to 'ssl/ssl_ciph.c')
-rw-r--r-- | ssl/ssl_ciph.c | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 968998b237..6cb8b33b5b 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1573,7 +1573,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, ok = 1; rule_p = rule_str; if (strncmp(rule_str, "DEFAULT", 7) == 0) { - ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, + ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(), &head, &tail, ca_list, c); rule_p += 7; if (*rule_p == ':') @@ -2168,3 +2168,27 @@ int ssl_cert_is_disabled(size_t idx) return 1; return 0; } + +/* + * Default list of TLSv1.2 (and earlier) ciphers + * SSL_DEFAULT_CIPHER_LIST deprecated in 3.0.0 + * Update both macro and function simultaneously + */ +const char *OSSL_default_cipher_list(void) +{ + return "ALL:!COMPLEMENTOFDEFAULT:!eNULL"; +} + +/* + * Default list of TLSv1.3 (and later) ciphers + * TLS_DEFAULT_CIPHERSUITES deprecated in 3.0.0 + * Update both macro and function simultaneously + */ +const char *OSSL_default_ciphersuites(void) +{ + return "TLS_AES_256_GCM_SHA384:" +#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) + "TLS_CHACHA20_POLY1305_SHA256:" +#endif + "TLS_AES_128_GCM_SHA256"; +} |