[openssl-commits] [openssl] master update
Kurt Roeckx
kurt at openssl.org
Fri Mar 4 17:50:16 UTC 2016
The branch master has been updated
via 9829b5ab52cb5f1891fc48262503b7eec32351b3 (commit)
via 1510b5f7ca8d06d2ea5966f645dce72a17b1b9c5 (commit)
from 5b7af0dd6c9315ca76fba16813b66f5792c7fe6e (commit)
- Log -----------------------------------------------------------------
commit 9829b5ab52cb5f1891fc48262503b7eec32351b3
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Thu Mar 3 22:45:57 2016 +0100
Disable SSLv3 by default
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Emilia Kasper <emilia at openssl.org>
MR: #2203
commit 1510b5f7ca8d06d2ea5966f645dce72a17b1b9c5
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Thu Mar 3 22:02:58 2016 +0100
Don't mark the eNULL ciphers as non-default.
They're not part of ALL, so they're not part of COMPLEMENTOFDEFAULT
Reviewed-by: Rich Salz <rsalz at openssl.org>
MR: #2202
-----------------------------------------------------------------------
Summary of changes:
Configure | 2 ++
ssl/s3_lib.c | 38 +++++++++++++++++++-------------------
ssl/ssl_ciph.c | 2 +-
3 files changed, 22 insertions(+), 20 deletions(-)
diff --git a/Configure b/Configure
index e57ff60..cf49023 100755
--- a/Configure
+++ b/Configure
@@ -340,6 +340,8 @@ our %disabled = ( # "what" => "comment"
"sctp" => "default",
"shared" => "default",
"ssl-trace" => "default",
+ "ssl3" => "default",
+ "ssl3-method" => "default",
"static-engine" => "default",
"unit-test" => "default",
"weak-ssl-ciphers" => "default",
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index f1ea55a..c9b27eb 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -172,7 +172,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_MD5,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_STRONG_NONE,
+ SSL_STRONG_NONE,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -188,7 +188,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -338,7 +338,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -353,7 +353,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -368,7 +368,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -512,7 +512,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -740,7 +740,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_GOST94,
SSL_TLSV1,
- SSL_NOT_DEFAULT | SSL_STRONG_NONE,
+ SSL_STRONG_NONE,
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94,
0,
0
@@ -1354,7 +1354,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA256,
SSL_TLSV1,
- SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -1370,7 +1370,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA384,
SSL_TLSV1,
- SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0,
0,
@@ -1418,7 +1418,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA256,
SSL_TLSV1,
- SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -1434,7 +1434,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA384,
SSL_TLSV1,
- SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0,
0,
@@ -1482,7 +1482,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA256,
SSL_TLSV1,
- SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -1498,7 +1498,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA384,
SSL_TLSV1,
- SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0,
0,
@@ -1649,7 +1649,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -1731,7 +1731,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -1813,7 +1813,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -2275,7 +2275,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -2291,7 +2291,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA256,
SSL_TLSV1,
- SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -2307,7 +2307,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA384,
SSL_TLSV1,
- SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0,
0,
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 9fbdc54..376b7b6 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -296,7 +296,7 @@ static const SSL_CIPHER cipher_aliases[] = {
* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
* ALL!)
*/
- {0, SSL_TXT_CMPDEF, 0, 0, 0, ~SSL_eNULL, 0, 0, SSL_NOT_DEFAULT, 0, 0, 0},
+ {0, SSL_TXT_CMPDEF, 0, 0, 0, 0, 0, 0, SSL_NOT_DEFAULT, 0, 0, 0},
/*
* key exchange aliases (some of those using only a single bit here
More information about the openssl-commits
mailing list