author | Rich Burridge <rich.burridge@oracle.com> |
Wed, 02 Jul 2014 14:04:37 -0700 | |
changeset 1980 | aa71e25d90c5 |
permissions | -rw-r--r-- |
1980
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
1 |
From 30e24c74774ef642f6d34638bb2b701877c7ce93 Mon Sep 17 00:00:00 2001 |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
2 |
From: Daniel Stenberg <[email protected]> |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
3 |
Date: Sat, 11 Jan 2014 00:05:19 +0100 |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
4 |
Subject: [PATCH] OpenSSL: deselect weak ciphers by default |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
5 |
|
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
6 |
By default even recent versions of OpenSSL supports and accepts both |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
7 |
"export strength" ciphers, small-bitsize ciphers as well as downright |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
8 |
deprecated ones. |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
9 |
|
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
10 |
This change sets a default cipher selection that tries to avoid the |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
11 |
worst ones, and subsequently it makes https://www.howsmyssl.com/a/check |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
12 |
no longer grade curl/OpenSSL connects as 'Bad'. |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
13 |
|
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
14 |
Bug: http://curl.haxx.se/bug/view.cgi?id=1323 |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
15 |
Reported-by: Jeff Hodges |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
16 |
|
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
17 |
(Note that we have an older version of curl, and the required changes need |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
18 |
to be made to .../lib/ssluse.[c,h] not .../lib/vtls/openssl.[c,h].) |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
19 |
|
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
20 |
--- lib/ssluse.c.orig 2014-07-02 05:55:41.737906072 -0700 |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
21 |
+++ lib/ssluse.c 2014-07-02 06:01:36.893672485 -0700 |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
22 |
@@ -1439,6 +1439,7 @@ |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
23 |
{ |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
24 |
CURLcode retcode = CURLE_OK; |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
25 |
|
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
26 |
+ char *ciphers; |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
27 |
struct SessionHandle *data = conn->data; |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
28 |
SSL_METHOD_QUAL SSL_METHOD *req_method=NULL; |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
29 |
void *ssl_sessionid=NULL; |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
30 |
@@ -1614,12 +1615,12 @@ |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
31 |
} |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
32 |
} |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
33 |
|
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
34 |
- if(data->set.str[STRING_SSL_CIPHER_LIST]) { |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
35 |
- if(!SSL_CTX_set_cipher_list(connssl->ctx, |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
36 |
- data->set.str[STRING_SSL_CIPHER_LIST])) { |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
37 |
- failf(data, "failed setting cipher list"); |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
38 |
- return CURLE_SSL_CIPHER; |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
39 |
- } |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
40 |
+ ciphers = data->set.str[STRING_SSL_CIPHER_LIST]; |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
41 |
+ if(!ciphers) |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
42 |
+ ciphers = (char *)DEFAULT_CIPHER_SELECTION; |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
43 |
+ if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) { |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
44 |
+ failf(data, "failed setting cipher list: %s", ciphers); |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
45 |
+ return CURLE_SSL_CIPHER; |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
46 |
} |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
47 |
|
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
48 |
#ifdef USE_TLS_SRP |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
49 |
--- lib/ssluse.h.orig 2014-07-02 06:01:57.665442588 -0700 |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
50 |
+++ lib/ssluse.h 2014-07-02 06:03:19.437812328 -0700 |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
51 |
@@ -7,7 +7,7 @@ |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
52 |
* | (__| |_| | _ <| |___ |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
53 |
* \___|\___/|_| \_\_____| |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
54 |
* |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
55 |
- * Copyright (C) 1998 - 2010, Daniel Stenberg, <[email protected]>, et al. |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
56 |
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <[email protected]>, et al. |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
57 |
* |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
58 |
* This software is licensed as described in the file COPYING, which |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
59 |
* you should have received as part of this distribution. The terms |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
60 |
@@ -83,5 +83,7 @@ |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
61 |
#define curlssl_check_cxn Curl_ossl_check_cxn |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
62 |
#define curlssl_data_pending(x,y) Curl_ossl_data_pending(x,y) |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
63 |
|
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
64 |
+#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4" |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
65 |
+ |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
66 |
#endif /* USE_SSLEAY */ |
aa71e25d90c5
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
67 |
#endif /* HEADER_CURL_SSLUSE_H */ |