[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Fri Mar 4 10:10:06 UTC 2016


The branch master has been updated
       via  8b1a5af389fb962c7d00ffc9d003c81078033e7b (commit)
      from  f04abe7d500eeebc078a0ffb0e82997d5f62b2df (commit)


- Log -----------------------------------------------------------------
commit 8b1a5af389fb962c7d00ffc9d003c81078033e7b
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Mar 3 15:40:51 2016 +0000

    Don't build RC4 ciphersuites into libssl by default
    
    RC4 based ciphersuites in libssl have been disabled by default. They can
    be added back by building OpenSSL with the "enable-weak-ssl-ciphers"
    Configure option at compile time.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES              |  5 +++++
 Configure            | 29 +++++++++++++++++------------
 doc/apps/ciphers.pod |  5 +++--
 ssl/s3_lib.c         | 18 ++++++++++++++++++
 4 files changed, 43 insertions(+), 14 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6186558..f534cf7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
 
  Changes between 1.0.2g and 1.1.0  [xx XXX xxxx]
 
+  *) RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
+     disabled by default. They can be re-enabled using the
+     enable-weak-ssl-ciphers option to Configure.
+     [Matt Caswell]
+
   *) If the server has ALPN configured, but supports no protocols that the
      client advertises, send a fatal "no_application_protocol" alert.
      This behaviour is SHALL in RFC 7301, though it isn't universally
diff --git a/Configure b/Configure
index 5e2e8d3..e57ff60 100755
--- a/Configure
+++ b/Configure
@@ -57,6 +57,9 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lx
 #		library and will be loaded in run-time by the OpenSSL library.
 # sctp          include SCTP support
 # 386           generate 80386 code
+# enable-weak-ssl-ciphers
+#               Enable weak ciphers that are disabled by default. This currently
+#               only includes RC4 based ciphers.
 # no-sse2	disables IA-32 SSE2 code, above option implies no-sse2
 # no-<cipher>   build without specified algorithm (rsa, idea, rc5, ...)
 # -<xxx> +<xxx> compiler options are passed through
@@ -313,6 +316,7 @@ my @disablables = (
     "ui",
     "unit-test",
     "whirlpool",
+    "weak-ssl-ciphers",
     "zlib",
     "zlib-dynamic",
     );
@@ -330,18 +334,19 @@ my @deprecated_disablables = (
 
 our %disabled = ( # "what"         => "comment"
 		  "ec_nistp_64_gcc_128" => "default",
-		  "egd"            => "default",
-		  "md2"            => "default",
-		  "rc5"            => "default",
-		  "sctp"           => "default",
-		  "shared"         => "default",
-		  "ssl-trace"      => "default",
-		  "static-engine"  => "default",
-		  "unit-test"      => "default",
-		  "zlib"           => "default",
-		  "zlib-dynamic"   => "default",
-		  "crypto-mdebug"  => "default",
-		  "heartbeats"     => "default",
+		  "egd"                 => "default",
+		  "md2"                 => "default",
+		  "rc5"                 => "default",
+		  "sctp"                => "default",
+		  "shared"              => "default",
+		  "ssl-trace"           => "default",
+		  "static-engine"       => "default",
+		  "unit-test"           => "default",
+		  "weak-ssl-ciphers"    => "default",
+		  "zlib"                => "default",
+		  "zlib-dynamic"        => "default",
+		  "crypto-mdebug"       => "default",
+		  "heartbeats"          => "default",
 		);
 
 # Note: => pair form used for aesthetics, not to truly make a hash table
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index 07c353d..344e218 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -144,9 +144,10 @@ When used, this must be the first cipherstring specified.
 =item B<COMPLEMENTOFDEFAULT>
 
 The ciphers included in B<ALL>, but not enabled by default. Currently
-this includes all RC4, DES, RC2 and anonymous ciphers. Note that this rule does
+this includes all RC4 and anonymous ciphers. Note that this rule does
 not cover B<eNULL>, which is not included by B<ALL> (use B<COMPLEMENTOFALL> if
-necessary).
+necessary). Note that RC4 based ciphersuites are not built into OpenSSL by
+default (see the enable-weak-ssl-ciphers option to Configure).
 
 =item B<ALL>
 
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 07ce76d..f1ea55a 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -195,6 +195,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
      },
 
 /* Cipher 04 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      SSL3_TXT_RSA_RC4_128_MD5,
@@ -225,6 +226,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
      128,
      128,
      },
+#endif
 
 /* Cipher 07 */
 #ifndef OPENSSL_NO_IDEA
@@ -293,6 +295,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
      },
 
 /* Cipher 18 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      SSL3_TXT_ADH_RC4_128_MD5,
@@ -307,6 +310,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
      128,
      128,
      },
+#endif
 
 /* Cipher 1B */
     {
@@ -813,6 +817,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
 #ifndef OPENSSL_NO_PSK
     /* PSK ciphersuites from RFC 4279 */
     /* Cipher 8A */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_PSK_WITH_RC4_128_SHA,
@@ -827,6 +832,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
      128,
      128,
      },
+#endif
 
     /* Cipher 8B */
     {
@@ -877,6 +883,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
      },
 
     /* Cipher 8E */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_DHE_PSK_WITH_RC4_128_SHA,
@@ -891,6 +898,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
      128,
      128,
      },
+#endif
 
     /* Cipher 8F */
     {
@@ -941,6 +949,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
      },
 
     /* Cipher 92 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_RSA_PSK_WITH_RC4_128_SHA,
@@ -955,6 +964,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
      128,
      128,
      },
+#endif
 
     /* Cipher 93 */
     {
@@ -1646,6 +1656,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
      },
 
     /* Cipher C007 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
@@ -1660,6 +1671,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
      128,
      128,
      },
+#endif
 
     /* Cipher C008 */
     {
@@ -1726,6 +1738,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
      },
 
     /* Cipher C011 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
@@ -1740,6 +1753,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
      128,
      128,
      },
+#endif
 
     /* Cipher C012 */
     {
@@ -1806,6 +1820,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
      },
 
     /* Cipher C016 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
@@ -1820,6 +1835,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
      128,
      128,
      },
+#endif
 
     /* Cipher C017 */
     {
@@ -2152,6 +2168,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
 
     /* PSK ciphersuites from RFC 5489 */
     /* Cipher C033 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA,
@@ -2166,6 +2183,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
      128,
      128,
      },
+#endif
 
     /* Cipher C034 */
     {


More information about the openssl-commits mailing list