Commit 55f05012 authored by Bodo Möller's avatar Bodo Möller
Browse files

Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a 

ciphersuite string such as "DEFAULT:RSA" cannot enable
authentication-only ciphersuites.
parent b2710ee1

CHANGES

+10 −0
Original line number Diff line number Diff line
@@ -4,6 +4,11 @@ 


 Changes between 0.9.8d and 0.9.8e  [XX xxx XXXX]



  *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that

     a ciphersuite string such as "DEFAULT:RSA" cannot enable

     authentication-only ciphersuites.

     [Bodo Moeller]



  *) Since AES128 and AES256 (and similarly Camellia128 and

     Camellia256) share a single mask bit in the logic of

     ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
@@ -1040,6 +1045,11 @@ 


 Changes between 0.9.7l and 0.9.7m  [xx XXX xxxx]



  *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that

     a ciphersuite string such as "DEFAULT:RSA" cannot enable

     authentication-only ciphersuites.

     [Bodo Moeller]



  *) Since AES128 and AES256 share a single mask bit in the logic of

     ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a

     kludge to work properly if AES128 is available and AES256 isn't.