Commit fa25763b authored by Matt Caswell's avatar Matt Caswell
Browse files

Put the default set of TLSv1.3 ciphersuites in a header file 



Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5392)
parent 74826901

include/openssl/ssl.h

+5 −0
Original line number Diff line number Diff line
@@ -169,8 +169,13 @@ extern "C" { 
/*

 * The following cipher list is used by default. It also is substituted when

 * an application-defined cipher list string starts with 'DEFAULT'.

 * This applies to ciphersuites for TLSv1.2 and below.

 */

# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"

/* This is the default set of TLSv1.3 ciphersuites */

# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \

                                  "TLS_CHACHA20_POLY1305_SHA256:" \

                                  "TLS_AES_128_GCM_SHA256"

/*

 * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always

 * starts with a reasonable order, and all we have to do for DEFAULT is

ssl/ssl_lib.c

+1 −4
Original line number Diff line number Diff line
@@ -3019,10 +3019,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) 
        goto err;

#endif



    if (!SSL_CTX_set_ciphersuites(ret,

            "TLS_AES_256_GCM_SHA384:"

            "TLS_CHACHA20_POLY1305_SHA256:"

            "TLS_AES_128_GCM_SHA256"))

    if (!SSL_CTX_set_ciphersuites(ret, TLS_DEFAULT_CIPHERSUITES))

        goto err;



    if (!ssl_create_cipher_list(ret->method,