Disable export and SSLv2 ciphers by default (c85c1e08) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+2 −1

Original line number	Diff line number	Diff line
		@@ -4,7 +4,8 @@

		Changes between 0.9.8ze and 0.9.8zf [xx XXX xxxx]

		*)
		*) Removed the export and SSLv2 ciphers from the DEFAULT ciphers
		[Kurt Roeckx]

		Changes between 0.9.8zd and 0.9.8ze [15 Jan 2015]

+1 −1

Original line number	Diff line number	Diff line
		@@ -105,7 +105,7 @@ The following is a list of all permitted cipher strings and their meanings.
		=item B<DEFAULT>

		the default cipher list. This is determined at compile time and is normally
		B<AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH>. This must be the first cipher string
		B<ALL:!EXPORT:!aNULL:!eNULL:!SSLv2:@STRENGTH>. This must be the first cipher string
		specified.

		=item B<COMPLEMENTOFDEFAULT>

+1 −2

Original line number	Diff line number	Diff line
		@@ -323,8 +323,7 @@ extern "C" {
		* The following cipher list is used by default. It also is substituted when
		* an application-defined cipher list string starts with 'DEFAULT'.
		*/
		/* low priority for RC4 */
		# define SSL_DEFAULT_CIPHER_LIST "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH"
		# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2:@STRENGTH"

		/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
		# define SSL_SENT_SHUTDOWN 1

+13 −3

Original line number	Diff line number	Diff line
		@@ -174,12 +174,11 @@ static const SSL_CIPHER cipher_aliases[] = {
		{0, SSL_TXT_ALL, 0, SSL_ALL & ~SSL_eNULL & ~SSL_kECDH & ~SSL_kECDHE,
		SSL_ALL, 0, 0, 0, SSL_ALL, SSL_ALL},
		/*
		* TODO: COMPLEMENT OF ALL and COMPLEMENT OF DEFAULT do not have ECC
		* cipher suites handled properly.
		* TODO: COMPLEMENT OF ALL do not have ECC cipher suites handled properly.
		*/
		/* COMPLEMENT OF ALL */
		{0, SSL_TXT_CMPALL, 0, SSL_eNULL, 0, 0, 0, 0, SSL_ENC_MASK, 0},
		{0, SSL_TXT_CMPDEF, 0, SSL_ADH, 0, 0, 0, 0, SSL_AUTH_MASK, 0},
		{0, SSL_TXT_CMPDEF, 0, SSL_ADH, SSL_EXP_MASK, 0, 0, 0, SSL_AUTH_MASK, 0},
		/* VRS Kerberos5 */
		{0, SSL_TXT_kKRB5, 0, SSL_kKRB5, 0, 0, 0, 0, SSL_MKEY_MASK, 0},
		{0, SSL_TXT_kRSA, 0, SSL_kRSA, 0, 0, 0, 0, SSL_MKEY_MASK, 0},
		@@ -636,6 +635,15 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
		curr2 = curr->next;

		cp = curr->cipher;
		/* Special case: only satisfied by COMPLEMENTOFDEFAULT */
		if (algo_strength == SSL_EXP_MASK) {
		if ((SSL_C_IS_EXPORT(cp) \|\| cp->algorithms & SSL_SSLV2
		\|\| cp->algorithms & SSL_aNULL)
		&& !(cp->algorithms & (SSL_kECDHE\|SSL_kECDH)))
		goto ok;
		else
		continue;
		}

		/*
		* If explicit cipher suite, match only that one for its own protocol
		@@ -675,6 +683,8 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
		} else if (strength_bits != cp->strength_bits)
		continue; /* does not apply */

		ok:

		#ifdef CIPHER_DEBUG
		printf("Action = %d\n", rule);
		#endif

+1 −0

Original line number	Diff line number	Diff line
		@@ -1562,6 +1562,7 @@ SSL_CTX SSL_CTX_new(SSL_METHOD meth)

		ssl_create_cipher_list(ret->method,
		&ret->cipher_list, &ret->cipher_list_by_id,
		meth->version == SSL2_VERSION ? "SSLv2" :
		SSL_DEFAULT_CIPHER_LIST);
		if (ret->cipher_list == NULL \|\| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
		SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);