diff options
| -rw-r--r-- | CHANGES | 5 | ||||
| -rw-r--r-- | doc/apps/ciphers.pod | 24 | ||||
| -rw-r--r-- | ssl/ssl.h | 17 | ||||
| -rw-r--r-- | ssl/ssl_ciph.c | 2 |
4 files changed, 48 insertions, 0 deletions
@@ -101,6 +101,11 @@ Changes between 0.9.6e and 0.9.7 [XX xxx 2002] + *) Add cipher selection rules COMPLEMENTOFALL and COMPLENENTOFDEFAULT + to allow version independent disabling of normally unselected ciphers, + which may be activated as a side-effect of selecting a single cipher. + [Lutz Jaenicke, Bodo Moeller] + *) Add appropriate support for separate platform-dependent build directories. The recommended way to make a platform-dependent build directory is the following (tested on Linux), maybe with diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod index 21077614a7..c90484b70e 100644 --- a/doc/apps/ciphers.pod +++ b/doc/apps/ciphers.pod @@ -108,10 +108,20 @@ the default cipher list. This is determined at compile time and is normally B<ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH>. This must be the first cipher string specified. +=item B<COMPLEMENTOFDEFAULT> + +the ciphers not enabled by default, currently being B<ADH>. This rule does not +cover B<eNULL>, which is not included by B<ALL> and is therefore be handled by +B<COMPLENETOFALL>. + =item B<ALL> all ciphers suites except the B<eNULL> ciphers which must be explicitly enabled. +=item B<COMPLEMENTOFALL> + +the cipher suites not enabled by B<ALL>, currently being B<eNULL>. + =item B<HIGH> "high" encryption cipher suites. This currently means those with key lengths larger @@ -339,8 +349,22 @@ Include only 3DES ciphers and then place RSA ciphers last: openssl ciphers -v '3DES:+RSA' +Include all RC4 ciphers but leave out those without authentication: + + openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT' + +Include all chiphers with RSA authentication but leave out ciphers without +encryption. + + openssl ciphers -v 'RSA:!COMPLEMENTOFALL' + =head1 SEE ALSO L<s_client(1)|s_client(1)>, L<s_server(1)|s_server(1)>, L<ssl(3)|ssl(3)> +=head1 HISTORY + +The B<COMPLENTOFALL> and B<COMPLEMENTOFDEFAULT> selection options were +added in version 0.9.7. + =cut @@ -266,6 +266,23 @@ extern "C" { #define SSL_TXT_TLSV1 "TLSv1" #define SSL_TXT_ALL "ALL" +/* + * COMPLEMENTOF* definitions. These identifiers are used to (de-select) + * ciphers normally not being used. + * Example: "RC4" will activate all ciphers using RC4 including ciphers + * without authentication, which would normally disabled by DEFAULT (due + * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT" + * will make sure that it is also disabled in the specific selection. + * COMPLEMENTOF* identifiers are portable between version, as adjustments + * to the default cipher setup will also be included here. + * + * COMPLEMENTOFDEFAULT does not experience the same special treatment that + * DEFAULT gets, as only selection is being done and no sorting as needed + * for DEFAULT. + */ +#define SSL_TXT_CMPALL "COMPLEMENTOFALL" +#define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT" + /* The following cipher list is used by default. * It also is substituted when an application-defined cipher list string * starts with 'DEFAULT'. */ diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index a1cef72082..37f58886a6 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -102,6 +102,8 @@ typedef struct cipher_order_st static const SSL_CIPHER cipher_aliases[]={ /* Don't include eNULL unless specifically enabled. */ {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */ + {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, /* COMPLEMENT OF ALL */ + {0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0}, {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */ {0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0}, {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0}, |