[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Kurt Roeckx kurt at openssl.org
Sat Mar 7 22:05:23 UTC 2015


The branch OpenSSL_1_0_2-stable has been updated
       via  f417997a324037025be61737288e40e171a8218c (commit)
      from  6ee3997134e2adfaaaa62ca685681a773d2a7d9c (commit)


- Log -----------------------------------------------------------------
commit f417997a324037025be61737288e40e171a8218c
Author: Kurt Roeckx <kurt at roeckx.be>
Date:   Wed Mar 4 21:57:52 2015 +0100

    Remove export ciphers from the DEFAULT cipher list
    
    They are moved to the COMPLEMENTOFDEFAULT instead.
    This also fixes SSLv2 to be part of COMPLEMENTOFDEFAULT.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES              |  3 ++-
 doc/apps/ciphers.pod |  4 ++--
 ssl/ssl.h            |  2 +-
 ssl/ssl_ciph.c       | 10 ++++++++--
 4 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index c1a07d7..11d93b6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,8 @@
 
  Changes between 1.0.2 and 1.0.2a [xx XXX xxxx]
 
-  *)
+  *) Removed the export ciphers from the DEFAULT ciphers
+     [Kurt Roeckx]
 
  Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
 
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index 4eeb55b..e9280bc 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -109,8 +109,8 @@ The following is a list of all permitted cipher strings and their meanings.
 
 =item B<DEFAULT>
 
-the default cipher list. This is determined at compile time and, as of OpenSSL
-1.0.0, is normally B<ALL:!aNULL:!eNULL>. This must be the first cipher string
+the default cipher list. This is determined at compile time and
+is normally B<ALL:!EXPORT:!aNULL:!eNULL:!SSLv2>. This must be the firstcipher string
 specified.
 
 =item B<COMPLEMENTOFDEFAULT>
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 2b0f662..a6d845d 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -338,7 +338,7 @@ extern "C" {
  * The following cipher list is used by default. It also is substituted when
  * an application-defined cipher list string starts with 'DEFAULT'.
  */
-# define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"
+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
 /*
  * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
  * starts with a reasonable order, and all we have to do for DEFAULT is
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index b038c55..2cc9a4a 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -235,8 +235,8 @@ static const SSL_CIPHER cipher_aliases[] = {
      * "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
      * ALL!)
      */
-    {0, SSL_TXT_CMPDEF, 0, SSL_kEDH | SSL_kEECDH, SSL_aNULL, ~SSL_eNULL, 0, 0,
-     0, 0, 0, 0},
+    {0, SSL_TXT_CMPDEF, 0, 0, SSL_aNULL, ~SSL_eNULL, 0, ~SSL_SSLV2,
+     SSL_EXP_MASK, 0, 0, 0},
 
     /*
      * key exchange aliases (some of those using only a single bit here
@@ -1027,6 +1027,10 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
             if (cipher_id && cipher_id != cp->id)
                 continue;
 #endif
+            if (algo_strength == SSL_EXP_MASK && SSL_C_IS_EXPORT(cp))
+                goto ok;
+            if (alg_ssl == ~SSL_SSLV2 && cp->algorithm_ssl == SSL_SSLV2)
+                goto ok;
             if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
                 continue;
             if (alg_auth && !(alg_auth & cp->algorithm_auth))
@@ -1045,6 +1049,8 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
                 continue;
         }
 
+    ok:
+
 #ifdef CIPHER_DEBUG
         fprintf(stderr, "Action = %d\n", rule);
 #endif


More information about the openssl-commits mailing list