Commit 3bd95a14 authored by Bodo Möller's avatar Bodo Möller
Browse files

Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a 

ciphersuite string such as "DEFAULT:RSA" cannot enable
authentication-only ciphersuites.
parent fd31dfae

CHANGES

+5 −0
Original line number Diff line number Diff line
@@ -4,6 +4,11 @@ 


 Changes between 0.9.7l and 0.9.7m  [xx XXX xxxx]



  *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that

     a ciphersuite string such as "DEFAULT:RSA" cannot enable

     authentication-only ciphersuites.

     [Bodo Moeller]



  *) Since AES128 and AES256 share a single mask bit in the logic of

     ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a

     kludge to work properly if AES128 is available and AES256 isn't.

ssl/ssl.h

+1 −1
Original line number Diff line number Diff line
@@ -303,7 +303,7 @@ extern "C" { 
/* The following cipher list is used by default.

 * It also is substituted when an application-defined cipher list string

 * starts with 'DEFAULT'. */

#define SSL_DEFAULT_CIPHER_LIST	"ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */

#define SSL_DEFAULT_CIPHER_LIST	"ALL:!aNULL:!eNULL+RC4:@STRENGTH" /* low priority for RC4 */



/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */

#define SSL_SENT_SHUTDOWN	1