author | Rich Burridge <rich.burridge@oracle.com> |
Wed, 23 Jul 2014 06:05:53 -0700 | |
branch | s11-update |
changeset 3226 | 759d38fe157b |
permissions | -rw-r--r-- |
3226
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
1 |
From 30e24c74774ef642f6d34638bb2b701877c7ce93 Mon Sep 17 00:00:00 2001 |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
2 |
From: Daniel Stenberg <[email protected]> |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
3 |
Date: Sat, 11 Jan 2014 00:05:19 +0100 |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
4 |
Subject: [PATCH] OpenSSL: deselect weak ciphers by default |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
5 |
|
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
6 |
By default even recent versions of OpenSSL supports and accepts both |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
7 |
"export strength" ciphers, small-bitsize ciphers as well as downright |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
8 |
deprecated ones. |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
9 |
|
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
10 |
This change sets a default cipher selection that tries to avoid the |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
11 |
worst ones, and subsequently it makes https://www.howsmyssl.com/a/check |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
12 |
no longer grade curl/OpenSSL connects as 'Bad'. |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
13 |
|
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
14 |
Bug: http://curl.haxx.se/bug/view.cgi?id=1323 |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
15 |
Reported-by: Jeff Hodges |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
16 |
|
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
17 |
(Note that we have an older version of curl, and the required changes need |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
18 |
to be made to .../lib/ssluse.[c,h] not .../lib/vtls/openssl.[c,h].) |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
19 |
|
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
20 |
--- lib/ssluse.c.orig 2014-07-08 07:13:52.002064381 -0700 |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
21 |
+++ lib/ssluse.c 2014-07-08 07:18:11.256793811 -0700 |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
22 |
@@ -1422,6 +1422,7 @@ |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
23 |
{ |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
24 |
CURLcode retcode = CURLE_OK; |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
25 |
|
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
26 |
+ char *ciphers; |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
27 |
struct SessionHandle *data = conn->data; |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
28 |
SSL_METHOD_QUAL SSL_METHOD *req_method=NULL; |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
29 |
void *ssl_sessionid=NULL; |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
30 |
@@ -1556,12 +1557,12 @@ |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
31 |
} |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
32 |
} |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
33 |
|
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
34 |
- if(data->set.str[STRING_SSL_CIPHER_LIST]) { |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
35 |
- if(!SSL_CTX_set_cipher_list(connssl->ctx, |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
36 |
- data->set.str[STRING_SSL_CIPHER_LIST])) { |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
37 |
- failf(data, "failed setting cipher list"); |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
38 |
- return CURLE_SSL_CIPHER; |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
39 |
- } |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
40 |
+ ciphers = data->set.str[STRING_SSL_CIPHER_LIST]; |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
41 |
+ if(!ciphers) |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
42 |
+ ciphers = (char *)DEFAULT_CIPHER_SELECTION; |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
43 |
+ if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) { |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
44 |
+ failf(data, "failed setting cipher list: %s", ciphers); |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
45 |
+ return CURLE_SSL_CIPHER; |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
46 |
} |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
47 |
|
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
48 |
if(data->set.str[STRING_SSL_CAFILE] || data->set.str[STRING_SSL_CAPATH]) { |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
49 |
--- lib/ssluse.h.orig 2014-07-08 07:13:58.481773165 -0700 |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
50 |
+++ lib/ssluse.h 2014-07-08 07:16:39.119426762 -0700 |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
51 |
@@ -7,7 +7,7 @@ |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
52 |
* | (__| |_| | _ <| |___ |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
53 |
* \___|\___/|_| \_\_____| |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
54 |
* |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
55 |
- * Copyright (C) 1998 - 2010, Daniel Stenberg, <[email protected]>, et al. |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
56 |
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <[email protected]>, et al. |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
57 |
* |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
58 |
* This software is licensed as described in the file COPYING, which |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
59 |
* you should have received as part of this distribution. The terms |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
60 |
@@ -80,5 +80,7 @@ |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
61 |
#define curlssl_check_cxn Curl_ossl_check_cxn |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
62 |
#define curlssl_data_pending(x,y) Curl_ossl_data_pending(x,y) |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
63 |
|
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
64 |
+#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4" |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
65 |
+ |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
66 |
#endif /* USE_SSLEAY */ |
759d38fe157b
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
67 |
#endif /* __SSLUSE_H */ |