Loading CHANGES +5 −0 Original line number Diff line number Diff line Loading @@ -101,6 +101,11 @@ Changes between 0.9.6e and 0.9.7 [XX xxx 2002] *) Add cipher selection rules COMPLEMENTOFALL and COMPLENENTOFDEFAULT to allow version independent disabling of normally unselected ciphers, which may be activated as a side-effect of selecting a single cipher. [Lutz Jaenicke, Bodo Moeller] *) Add appropriate support for separate platform-dependent build directories. The recommended way to make a platform-dependent build directory is the following (tested on Linux), maybe with Loading doc/apps/ciphers.pod +24 −0 Original line number Diff line number Diff line Loading @@ -108,10 +108,20 @@ the default cipher list. This is determined at compile time and is normally B<ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH>. This must be the first cipher string specified. =item B<COMPLEMENTOFDEFAULT> the ciphers not enabled by default, currently being B<ADH>. This rule does not cover B<eNULL>, which is not included by B<ALL> and is therefore be handled by B<COMPLENETOFALL>. =item B<ALL> all ciphers suites except the B<eNULL> ciphers which must be explicitly enabled. =item B<COMPLEMENTOFALL> the cipher suites not enabled by B<ALL>, currently being B<eNULL>. =item B<HIGH> "high" encryption cipher suites. This currently means those with key lengths larger Loading Loading @@ -339,8 +349,22 @@ Include only 3DES ciphers and then place RSA ciphers last: openssl ciphers -v '3DES:+RSA' Include all RC4 ciphers but leave out those without authentication: openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT' Include all chiphers with RSA authentication but leave out ciphers without encryption. openssl ciphers -v 'RSA:!COMPLEMENTOFALL' =head1 SEE ALSO L<s_client(1)|s_client(1)>, L<s_server(1)|s_server(1)>, L<ssl(3)|ssl(3)> =head1 HISTORY The B<COMPLENTOFALL> and B<COMPLEMENTOFDEFAULT> selection options were added in version 0.9.7. =cut ssl/ssl.h +17 −0 Original line number Diff line number Diff line Loading @@ -266,6 +266,23 @@ extern "C" { #define SSL_TXT_TLSV1 "TLSv1" #define SSL_TXT_ALL "ALL" /* * COMPLEMENTOF* definitions. These identifiers are used to (de-select) * ciphers normally not being used. * Example: "RC4" will activate all ciphers using RC4 including ciphers * without authentication, which would normally disabled by DEFAULT (due * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT" * will make sure that it is also disabled in the specific selection. * COMPLEMENTOF* identifiers are portable between version, as adjustments * to the default cipher setup will also be included here. * * COMPLEMENTOFDEFAULT does not experience the same special treatment that * DEFAULT gets, as only selection is being done and no sorting as needed * for DEFAULT. */ #define SSL_TXT_CMPALL "COMPLEMENTOFALL" #define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT" /* The following cipher list is used by default. * It also is substituted when an application-defined cipher list string * starts with 'DEFAULT'. */ Loading ssl/ssl_ciph.c +2 −0 Original line number Diff line number Diff line Loading @@ -102,6 +102,8 @@ typedef struct cipher_order_st static const SSL_CIPHER cipher_aliases[]={ /* Don't include eNULL unless specifically enabled. */ {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */ {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, /* COMPLEMENT OF ALL */ {0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0}, {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */ {0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0}, {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0}, Loading Loading
CHANGES +5 −0 Original line number Diff line number Diff line Loading @@ -101,6 +101,11 @@ Changes between 0.9.6e and 0.9.7 [XX xxx 2002] *) Add cipher selection rules COMPLEMENTOFALL and COMPLENENTOFDEFAULT to allow version independent disabling of normally unselected ciphers, which may be activated as a side-effect of selecting a single cipher. [Lutz Jaenicke, Bodo Moeller] *) Add appropriate support for separate platform-dependent build directories. The recommended way to make a platform-dependent build directory is the following (tested on Linux), maybe with Loading
doc/apps/ciphers.pod +24 −0 Original line number Diff line number Diff line Loading @@ -108,10 +108,20 @@ the default cipher list. This is determined at compile time and is normally B<ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH>. This must be the first cipher string specified. =item B<COMPLEMENTOFDEFAULT> the ciphers not enabled by default, currently being B<ADH>. This rule does not cover B<eNULL>, which is not included by B<ALL> and is therefore be handled by B<COMPLENETOFALL>. =item B<ALL> all ciphers suites except the B<eNULL> ciphers which must be explicitly enabled. =item B<COMPLEMENTOFALL> the cipher suites not enabled by B<ALL>, currently being B<eNULL>. =item B<HIGH> "high" encryption cipher suites. This currently means those with key lengths larger Loading Loading @@ -339,8 +349,22 @@ Include only 3DES ciphers and then place RSA ciphers last: openssl ciphers -v '3DES:+RSA' Include all RC4 ciphers but leave out those without authentication: openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT' Include all chiphers with RSA authentication but leave out ciphers without encryption. openssl ciphers -v 'RSA:!COMPLEMENTOFALL' =head1 SEE ALSO L<s_client(1)|s_client(1)>, L<s_server(1)|s_server(1)>, L<ssl(3)|ssl(3)> =head1 HISTORY The B<COMPLENTOFALL> and B<COMPLEMENTOFDEFAULT> selection options were added in version 0.9.7. =cut
ssl/ssl.h +17 −0 Original line number Diff line number Diff line Loading @@ -266,6 +266,23 @@ extern "C" { #define SSL_TXT_TLSV1 "TLSv1" #define SSL_TXT_ALL "ALL" /* * COMPLEMENTOF* definitions. These identifiers are used to (de-select) * ciphers normally not being used. * Example: "RC4" will activate all ciphers using RC4 including ciphers * without authentication, which would normally disabled by DEFAULT (due * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT" * will make sure that it is also disabled in the specific selection. * COMPLEMENTOF* identifiers are portable between version, as adjustments * to the default cipher setup will also be included here. * * COMPLEMENTOFDEFAULT does not experience the same special treatment that * DEFAULT gets, as only selection is being done and no sorting as needed * for DEFAULT. */ #define SSL_TXT_CMPALL "COMPLEMENTOFALL" #define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT" /* The following cipher list is used by default. * It also is substituted when an application-defined cipher list string * starts with 'DEFAULT'. */ Loading
ssl/ssl_ciph.c +2 −0 Original line number Diff line number Diff line Loading @@ -102,6 +102,8 @@ typedef struct cipher_order_st static const SSL_CIPHER cipher_aliases[]={ /* Don't include eNULL unless specifically enabled. */ {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */ {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, /* COMPLEMENT OF ALL */ {0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0}, {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */ {0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0}, {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0}, Loading
