[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Fri Mar 4 10:10:06 UTC 2016
The branch master has been updated
via 8b1a5af389fb962c7d00ffc9d003c81078033e7b (commit)
from f04abe7d500eeebc078a0ffb0e82997d5f62b2df (commit)
- Log -----------------------------------------------------------------
commit 8b1a5af389fb962c7d00ffc9d003c81078033e7b
Author: Matt Caswell <matt at openssl.org>
Date: Thu Mar 3 15:40:51 2016 +0000
Don't build RC4 ciphersuites into libssl by default
RC4 based ciphersuites in libssl have been disabled by default. They can
be added back by building OpenSSL with the "enable-weak-ssl-ciphers"
Configure option at compile time.
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 5 +++++
Configure | 29 +++++++++++++++++------------
doc/apps/ciphers.pod | 5 +++--
ssl/s3_lib.c | 18 ++++++++++++++++++
4 files changed, 43 insertions(+), 14 deletions(-)
diff --git a/CHANGES b/CHANGES
index 6186558..f534cf7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
Changes between 1.0.2g and 1.1.0 [xx XXX xxxx]
+ *) RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
+ disabled by default. They can be re-enabled using the
+ enable-weak-ssl-ciphers option to Configure.
+ [Matt Caswell]
+
*) If the server has ALPN configured, but supports no protocols that the
client advertises, send a fatal "no_application_protocol" alert.
This behaviour is SHALL in RFC 7301, though it isn't universally
diff --git a/Configure b/Configure
index 5e2e8d3..e57ff60 100755
--- a/Configure
+++ b/Configure
@@ -57,6 +57,9 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lx
# library and will be loaded in run-time by the OpenSSL library.
# sctp include SCTP support
# 386 generate 80386 code
+# enable-weak-ssl-ciphers
+# Enable weak ciphers that are disabled by default. This currently
+# only includes RC4 based ciphers.
# no-sse2 disables IA-32 SSE2 code, above option implies no-sse2
# no-<cipher> build without specified algorithm (rsa, idea, rc5, ...)
# -<xxx> +<xxx> compiler options are passed through
@@ -313,6 +316,7 @@ my @disablables = (
"ui",
"unit-test",
"whirlpool",
+ "weak-ssl-ciphers",
"zlib",
"zlib-dynamic",
);
@@ -330,18 +334,19 @@ my @deprecated_disablables = (
our %disabled = ( # "what" => "comment"
"ec_nistp_64_gcc_128" => "default",
- "egd" => "default",
- "md2" => "default",
- "rc5" => "default",
- "sctp" => "default",
- "shared" => "default",
- "ssl-trace" => "default",
- "static-engine" => "default",
- "unit-test" => "default",
- "zlib" => "default",
- "zlib-dynamic" => "default",
- "crypto-mdebug" => "default",
- "heartbeats" => "default",
+ "egd" => "default",
+ "md2" => "default",
+ "rc5" => "default",
+ "sctp" => "default",
+ "shared" => "default",
+ "ssl-trace" => "default",
+ "static-engine" => "default",
+ "unit-test" => "default",
+ "weak-ssl-ciphers" => "default",
+ "zlib" => "default",
+ "zlib-dynamic" => "default",
+ "crypto-mdebug" => "default",
+ "heartbeats" => "default",
);
# Note: => pair form used for aesthetics, not to truly make a hash table
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index 07c353d..344e218 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -144,9 +144,10 @@ When used, this must be the first cipherstring specified.
=item B<COMPLEMENTOFDEFAULT>
The ciphers included in B<ALL>, but not enabled by default. Currently
-this includes all RC4, DES, RC2 and anonymous ciphers. Note that this rule does
+this includes all RC4 and anonymous ciphers. Note that this rule does
not cover B<eNULL>, which is not included by B<ALL> (use B<COMPLEMENTOFALL> if
-necessary).
+necessary). Note that RC4 based ciphersuites are not built into OpenSSL by
+default (see the enable-weak-ssl-ciphers option to Configure).
=item B<ALL>
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 07ce76d..f1ea55a 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -195,6 +195,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher 04 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_RSA_RC4_128_MD5,
@@ -225,6 +226,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
+#endif
/* Cipher 07 */
#ifndef OPENSSL_NO_IDEA
@@ -293,6 +295,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher 18 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_ADH_RC4_128_MD5,
@@ -307,6 +310,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
+#endif
/* Cipher 1B */
{
@@ -813,6 +817,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
#ifndef OPENSSL_NO_PSK
/* PSK ciphersuites from RFC 4279 */
/* Cipher 8A */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_PSK_WITH_RC4_128_SHA,
@@ -827,6 +832,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
+#endif
/* Cipher 8B */
{
@@ -877,6 +883,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher 8E */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_DHE_PSK_WITH_RC4_128_SHA,
@@ -891,6 +898,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
+#endif
/* Cipher 8F */
{
@@ -941,6 +949,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher 92 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_RSA_PSK_WITH_RC4_128_SHA,
@@ -955,6 +964,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
+#endif
/* Cipher 93 */
{
@@ -1646,6 +1656,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher C007 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
@@ -1660,6 +1671,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
+#endif
/* Cipher C008 */
{
@@ -1726,6 +1738,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher C011 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
@@ -1740,6 +1753,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
+#endif
/* Cipher C012 */
{
@@ -1806,6 +1820,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher C016 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
@@ -1820,6 +1835,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
+#endif
/* Cipher C017 */
{
@@ -2152,6 +2168,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
/* PSK ciphersuites from RFC 5489 */
/* Cipher C033 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA,
@@ -2166,6 +2183,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
+#endif
/* Cipher C034 */
{
More information about the openssl-commits
mailing list