author | Mike Sullivan <Mike.Sullivan@Oracle.COM> |
Fri, 30 Sep 2016 21:33:56 -0700 | |
changeset 7017 | 25872950aa80 |
parent 3934 | eb6d9a880b40 |
permissions | -rw-r--r-- |
3934
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
1 |
By default even recent versions of OpenSSL support and accept both |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
2 |
"export strength" ciphers, small-bitsize ciphers as well as downright |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
3 |
deprecated ones. |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
4 |
|
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
5 |
This change sets a default cipher selection that tries to avoid the |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
6 |
worst ones, and subsequently it makes https://www.howsmyssl.com/a/check |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
7 |
no longer grade lynx/OpenSSL connects as 'Bad'. |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
8 |
|
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
9 |
This change will be passed upstream. |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
10 |
|
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
11 |
--- lynx2-8-8/WWW/Library/Implementation/HTTP.h.orig 2015-03-10 08:40:16.089217608 -0700 |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
12 |
+++ lynx2-8-8/WWW/Library/Implementation/HTTP.h 2015-03-10 08:41:05.590224096 -0700 |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
13 |
@@ -21,6 +21,8 @@ |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
14 |
GLOBALREF HTProtocol HTTPS; |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
15 |
#endif /* GLOBALREF_IS_MACRO */ |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
16 |
|
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
17 |
+#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4" |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
18 |
+ |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
19 |
#define URL_GET_METHOD 1 |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
20 |
#define URL_POST_METHOD 2 |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
21 |
#define URL_MAIL_METHOD 3 |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
22 |
--- lynx2-8-8/WWW/Library/Implementation/HTTP.c.orig 2015-03-10 08:40:31.459735465 -0700 |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
23 |
+++ lynx2-8-8/WWW/Library/Implementation/HTTP.c 2015-03-10 08:53:29.358186971 -0700 |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
24 |
@@ -105,6 +105,8 @@ |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
25 |
|
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
26 |
SSL *HTGetSSLHandle(void) |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
27 |
{ |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
28 |
+ char *ciphers; |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
29 |
+ |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
30 |
#ifdef USE_GNUTLS_INCL |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
31 |
static char *certfile = NULL; |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
32 |
#endif |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
33 |
@@ -121,6 +123,10 @@ |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
34 |
ssl_ctx = SSL_CTX_new(SSLv23_client_method()); |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
35 |
/* Always disable SSLv2 & SSLv3 to "mitigate POODLE vulnerability". */ |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
36 |
SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
37 |
+ |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
38 |
+ ciphers = (char *)DEFAULT_CIPHER_SELECTION; |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
39 |
+ SSL_CTX_set_cipher_list(ssl_ctx, ciphers); |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
40 |
+ |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
41 |
#ifdef SSL_OP_NO_COMPRESSION |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
42 |
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION); |
eb6d9a880b40
19426049 remove export cipher suites from OpenSSL preference list for lynx
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
43 |
#endif |