openssl: use OpenSSL's default ciphers by default (ea142a83) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

lib/vtls/openssl.c

+14 −4

Original line number	Original line	Diff line number	Diff line
	@@ -154,8 +154,16 @@ static unsigned long OpenSSL_version_num(void)
	#define OSSL_PACKAGE "OpenSSL"		#define OSSL_PACKAGE "OpenSSL"
	#endif		#endif

			#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
			/* up2date versions of OpenSSL maintain the default reasonably secure without
			* breaking compatibility, so it is better not to override the default by curl
			*/
			#define DEFAULT_CIPHER_SELECTION NULL
			#else
			/* ... but it is not the case with old versions of OpenSSL */
	#define DEFAULT_CIPHER_SELECTION \		#define DEFAULT_CIPHER_SELECTION \
	"ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH"		"ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH"
			#endif

	struct ssl_backend_data {		struct ssl_backend_data {
	/* these ones requires specific SSL-types */		/* these ones requires specific SSL-types */
	@@ -2116,11 +2124,13 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
	ciphers = SSL_CONN_CONFIG(cipher_list);		ciphers = SSL_CONN_CONFIG(cipher_list);
	if(!ciphers)		if(!ciphers)
	ciphers = (char *)DEFAULT_CIPHER_SELECTION;		ciphers = (char *)DEFAULT_CIPHER_SELECTION;
			if(ciphers) {
	if(!SSL_CTX_set_cipher_list(BACKEND->ctx, ciphers)) {		if(!SSL_CTX_set_cipher_list(BACKEND->ctx, ciphers)) {
	failf(data, "failed setting cipher list: %s", ciphers);		failf(data, "failed setting cipher list: %s", ciphers);
	return CURLE_SSL_CIPHER;		return CURLE_SSL_CIPHER;
	}		}
	infof(data, "Cipher selection: %s\n", ciphers);		infof(data, "Cipher selection: %s\n", ciphers);
			}

	#ifdef USE_TLS_SRP		#ifdef USE_TLS_SRP
	if(ssl_authtype == CURL_TLSAUTH_SRP) {		if(ssl_authtype == CURL_TLSAUTH_SRP) {