prefer SHA1 over MD5 (this affects the Kerberos ciphersuites)

author: Bodo Möller <bodo@openssl.org> 2007-02-21 09:33:14 +0000
committer: Bodo Möller <bodo@openssl.org> 2007-02-21 09:33:14 +0000
commit: aa79dd6895bb2d26b69d2df3b6355beb77fda089 (patch)
tree: a246d8d081a0dbc39b41f35439b64c828c4aed0c /ssl
parent: 60cad2caed280df674a52fb65eb387b19e6d6998 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 666d44d34a..9b5a2648f6 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1180,12 +1180,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 	ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
 	ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
 
-	/* Temporarily enable AES first (preferred cipher) */
+	/* AES is our preferred symmetric cipher */
 	ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
 
-	/* Temporarily enable everything else */
+	/* Temporarily enable everything else for sorting */
 	ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
 
+	/* Low priority for MD5 */
+	ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head, &tail);
+
 	/* Move anonymous ciphers to the end.  Usually, these will remain disabled.
 	 * (For applications that allow them, they aren't too bad, but we prefer
 	 * authenticated ciphers.) */
author	Bodo Möller <bodo@openssl.org>	2007-02-21 09:33:14 +0000
committer	Bodo Möller <bodo@openssl.org>	2007-02-21 09:33:14 +0000
commit	aa79dd6895bb2d26b69d2df3b6355beb77fda089 (patch)
tree	a246d8d081a0dbc39b41f35439b64c828c4aed0c /ssl
parent	60cad2caed280df674a52fb65eb387b19e6d6998 (diff)