From 30e24c74774ef642f6d34638bb2b701877c7ce93 Mon Sep 17 00:00:00 2001

From: Daniel Stenberg <[email protected]>

Date: Sat, 11 Jan 2014 00:05:19 +0100

Subject: [PATCH] OpenSSL: deselect weak ciphers by default

By default even recent versions of OpenSSL supports and accepts both

"export strength" ciphers, small-bitsize ciphers as well as downright

deprecated ones.

This change sets a default cipher selection that tries to avoid the

worst ones, and subsequently it makes https://www.howsmyssl.com/a/check

no longer grade curl/OpenSSL connects as 'Bad'.

Bug: http://curl.haxx.se/bug/view.cgi?id=1323

Reported-by: Jeff Hodges

(Note that we have an older version of curl, and the required changes need

to be made to .../lib/ssluse.[c,h] not .../lib/vtls/openssl.[c,h].)

--- lib/ssluse.c.orig	2014-07-08 07:13:52.002064381 -0700

+++ lib/ssluse.c	2014-07-08 07:18:11.256793811 -0700

@@ -1422,6 +1422,7 @@

 {

   CURLcode retcode = CURLE_OK;

+  char *ciphers;

   struct SessionHandle *data = conn->data;

   SSL_METHOD_QUAL SSL_METHOD *req_method=NULL;

   void *ssl_sessionid=NULL;

@@ -1556,12 +1557,12 @@

     }

   }

-  if(data->set.str[STRING_SSL_CIPHER_LIST]) {

-    if(!SSL_CTX_set_cipher_list(connssl->ctx,

-                                data->set.str[STRING_SSL_CIPHER_LIST])) {

-      failf(data, "failed setting cipher list");

-      return CURLE_SSL_CIPHER;

-    }

+  ciphers = data->set.str[STRING_SSL_CIPHER_LIST];

+  if(!ciphers)

+    ciphers = (char *)DEFAULT_CIPHER_SELECTION;

+  if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) {

+    failf(data, "failed setting cipher list: %s", ciphers);

+    return CURLE_SSL_CIPHER;

   }

   if(data->set.str[STRING_SSL_CAFILE] || data->set.str[STRING_SSL_CAPATH]) {

--- lib/ssluse.h.orig	2014-07-08 07:13:58.481773165 -0700

+++ lib/ssluse.h	2014-07-08 07:16:39.119426762 -0700

@@ -7,7 +7,7 @@

  *                            | (__| |_| |  _ <| |___

  *                             \___|\___/|_| \_\_____|

  *

- * Copyright (C) 1998 - 2010, Daniel Stenberg, <[email protected]>, et al.

+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <[email protected]>, et al.

  *

  * This software is licensed as described in the file COPYING, which

  * you should have received as part of this distribution. The terms

@@ -80,5 +80,7 @@

 #define curlssl_check_cxn Curl_ossl_check_cxn

 #define curlssl_data_pending(x,y) Curl_ossl_data_pending(x,y)

+#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4"

+

 #endif /* USE_SSLEAY */

 #endif /* __SSLUSE_H */