diff options
author | Todd Short <tshort@akamai.com> | 2019-04-05 10:03:29 -0400 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2019-06-11 09:44:26 +0100 |
commit | 5d120511679ed69669e29b374a3bab1c50ff5134 (patch) | |
tree | d3ba2fbe02170e3dee4825852549148bb6937951 /ssl | |
parent | 3f91ede9aea70774d9b5d509bc76d484ebaff6aa (diff) |
Change cipher default strings to a function
Making the default cipher strings a function gives the library more
control over the defaults. Potentially allowing a change in the
future as ciphers become deprecated or dangerous.
Also allows third party distributors to change the defaults for their
installations.
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8686)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/ssl_ciph.c | 26 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 8 |
2 files changed, 29 insertions, 5 deletions
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 968998b237..6cb8b33b5b 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1573,7 +1573,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, ok = 1; rule_p = rule_str; if (strncmp(rule_str, "DEFAULT", 7) == 0) { - ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, + ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(), &head, &tail, ca_list, c); rule_p += 7; if (*rule_p == ':') @@ -2168,3 +2168,27 @@ int ssl_cert_is_disabled(size_t idx) return 1; return 0; } + +/* + * Default list of TLSv1.2 (and earlier) ciphers + * SSL_DEFAULT_CIPHER_LIST deprecated in 3.0.0 + * Update both macro and function simultaneously + */ +const char *OSSL_default_cipher_list(void) +{ + return "ALL:!COMPLEMENTOFDEFAULT:!eNULL"; +} + +/* + * Default list of TLSv1.3 (and later) ciphers + * TLS_DEFAULT_CIPHERSUITES deprecated in 3.0.0 + * Update both macro and function simultaneously + */ +const char *OSSL_default_ciphersuites(void) +{ + return "TLS_AES_256_GCM_SHA384:" +#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) + "TLS_CHACHA20_POLY1305_SHA256:" +#endif + "TLS_AES_128_GCM_SHA256"; +} diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 03c768010b..cf79ac50af 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -655,7 +655,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) ctx->method = meth; - if (!SSL_CTX_set_ciphersuites(ctx, TLS_DEFAULT_CIPHERSUITES)) { + if (!SSL_CTX_set_ciphersuites(ctx, OSSL_default_ciphersuites())) { SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return 0; } @@ -663,7 +663,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) ctx->tls13_ciphersuites, &(ctx->cipher_list), &(ctx->cipher_list_by_id), - SSL_DEFAULT_CIPHER_LIST, ctx->cert); + OSSL_default_cipher_list(), ctx->cert); if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return 0; @@ -3078,13 +3078,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) goto err; #endif - if (!SSL_CTX_set_ciphersuites(ret, TLS_DEFAULT_CIPHERSUITES)) + if (!SSL_CTX_set_ciphersuites(ret, OSSL_default_ciphersuites())) goto err; if (!ssl_create_cipher_list(ret->method, ret->tls13_ciphersuites, &ret->cipher_list, &ret->cipher_list_by_id, - SSL_DEFAULT_CIPHER_LIST, ret->cert) + OSSL_default_cipher_list(), ret->cert) || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS); goto err2; |