[openssl-commits] [openssl] OpenSSL_1_0_0-stable update
Kurt Roeckx
kurt at openssl.org
Sat Mar 7 22:18:27 UTC 2015
The branch OpenSSL_1_0_0-stable has been updated
via 71b0bb764c03b76214af4ee8fc35ee940f52b783 (commit)
from 09712fd0e3754172fa9f6da30a6782f36c43f195 (commit)
- Log -----------------------------------------------------------------
commit 71b0bb764c03b76214af4ee8fc35ee940f52b783
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Wed Mar 4 21:57:52 2015 +0100
Remove export ciphers from the DEFAULT cipher list
They are moved to the COMPLEMENTOFDEFAULT instead.
This also fixes SSLv2 to be part of COMPLEMENTOFDEFAULT.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(cherry picked from commit bc2e18a3c818ae7e2d8c996b6648aa4ae8e3ee28)
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 3 ++-
doc/apps/ciphers.pod | 4 ++--
ssl/ssl.h | 2 +-
ssl/ssl_ciph.c | 11 ++++++++---
4 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/CHANGES b/CHANGES
index f48a002..3e146ab 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,8 @@
Changes between 1.0.0q and 1.0.0r [xx XXX xxxx]
- *)
+ *) Removed the export ciphers from the DEFAULT ciphers
+ [Kurt Roeckx]
Changes between 1.0.0p and 1.0.0q [15 Jan 2015]
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index f44aa00..cbd9fa3 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -109,8 +109,8 @@ The following is a list of all permitted cipher strings and their meanings.
=item B<DEFAULT>
-the default cipher list. This is determined at compile time and, as of OpenSSL
-1.0.0, is normally B<ALL:!aNULL:!eNULL>. This must be the first cipher string
+the default cipher list. This is determined at compile time and
+is normally B<ALL:!EXPORT:!aNULL:!eNULL:!SSLv2>. This must be the firstcipher string
specified.
=item B<COMPLEMENTOFDEFAULT>
diff --git a/ssl/ssl.h b/ssl/ssl.h
index c977da3..3f4d0ac 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -326,7 +326,7 @@ extern "C" {
* The following cipher list is used by default. It also is substituted when
* an application-defined cipher list string starts with 'DEFAULT'.
*/
-# define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"
+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
/*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index a61cab6..cae03b3 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -228,8 +228,8 @@ static const SSL_CIPHER cipher_aliases[] = {
* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
* ALL!)
*/
- {0, SSL_TXT_CMPDEF, 0, SSL_kEDH | SSL_kEECDH, SSL_aNULL, ~SSL_eNULL, 0, 0,
- 0, 0, 0, 0},
+ {0, SSL_TXT_CMPDEF, 0, 0, SSL_aNULL, ~SSL_eNULL, 0, ~SSL_SSLV2,
+ SSL_EXP_MASK, 0, 0, 0},
/*
* key exchange aliases (some of those using only a single bit here
@@ -916,7 +916,10 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl,
cp->algo_strength);
#endif
-
+ if (algo_strength == SSL_EXP_MASK && SSL_C_IS_EXPORT(cp))
+ goto ok;
+ if (alg_ssl == ~SSL_SSLV2 && cp->algorithm_ssl == SSL_SSLV2)
+ goto ok;
if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
continue;
if (alg_auth && !(alg_auth & cp->algorithm_auth))
@@ -935,6 +938,8 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
continue;
}
+ ok:
+
#ifdef CIPHER_DEBUG
printf("Action = %d\n", rule);
#endif
More information about the openssl-commits
mailing list