1 From 30e24c74774ef642f6d34638bb2b701877c7ce93 Mon Sep 17 00:00:00 2001 |
|
2 From: Daniel Stenberg <[email protected]> |
|
3 Date: Sat, 11 Jan 2014 00:05:19 +0100 |
|
4 Subject: [PATCH] OpenSSL: deselect weak ciphers by default |
|
5 |
|
6 By default even recent versions of OpenSSL supports and accepts both |
|
7 "export strength" ciphers, small-bitsize ciphers as well as downright |
|
8 deprecated ones. |
|
9 |
|
10 This change sets a default cipher selection that tries to avoid the |
|
11 worst ones, and subsequently it makes https://www.howsmyssl.com/a/check |
|
12 no longer grade curl/OpenSSL connects as 'Bad'. |
|
13 |
|
14 Bug: http://curl.haxx.se/bug/view.cgi?id=1323 |
|
15 Reported-by: Jeff Hodges |
|
16 |
|
17 (Note that we have an older version of curl, and the required changes need |
|
18 to be made to .../lib/ssluse.[c,h] not .../lib/vtls/openssl.[c,h].) |
|
19 |
|
20 --- lib/ssluse.c.orig 2014-07-08 07:13:52.002064381 -0700 |
|
21 +++ lib/ssluse.c 2014-07-08 07:18:11.256793811 -0700 |
|
22 @@ -1422,6 +1422,7 @@ |
|
23 { |
|
24 CURLcode retcode = CURLE_OK; |
|
25 |
|
26 + char *ciphers; |
|
27 struct SessionHandle *data = conn->data; |
|
28 SSL_METHOD_QUAL SSL_METHOD *req_method=NULL; |
|
29 void *ssl_sessionid=NULL; |
|
30 @@ -1556,12 +1557,12 @@ |
|
31 } |
|
32 } |
|
33 |
|
34 - if(data->set.str[STRING_SSL_CIPHER_LIST]) { |
|
35 - if(!SSL_CTX_set_cipher_list(connssl->ctx, |
|
36 - data->set.str[STRING_SSL_CIPHER_LIST])) { |
|
37 - failf(data, "failed setting cipher list"); |
|
38 - return CURLE_SSL_CIPHER; |
|
39 - } |
|
40 + ciphers = data->set.str[STRING_SSL_CIPHER_LIST]; |
|
41 + if(!ciphers) |
|
42 + ciphers = (char *)DEFAULT_CIPHER_SELECTION; |
|
43 + if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) { |
|
44 + failf(data, "failed setting cipher list: %s", ciphers); |
|
45 + return CURLE_SSL_CIPHER; |
|
46 } |
|
47 |
|
48 if(data->set.str[STRING_SSL_CAFILE] || data->set.str[STRING_SSL_CAPATH]) { |
|
49 --- lib/ssluse.h.orig 2014-07-08 07:13:58.481773165 -0700 |
|
50 +++ lib/ssluse.h 2014-07-08 07:16:39.119426762 -0700 |
|
51 @@ -7,7 +7,7 @@ |
|
52 * | (__| |_| | _ <| |___ |
|
53 * \___|\___/|_| \_\_____| |
|
54 * |
|
55 - * Copyright (C) 1998 - 2010, Daniel Stenberg, <[email protected]>, et al. |
|
56 + * Copyright (C) 1998 - 2014, Daniel Stenberg, <[email protected]>, et al. |
|
57 * |
|
58 * This software is licensed as described in the file COPYING, which |
|
59 * you should have received as part of this distribution. The terms |
|
60 @@ -80,5 +80,7 @@ |
|
61 #define curlssl_check_cxn Curl_ossl_check_cxn |
|
62 #define curlssl_data_pending(x,y) Curl_ossl_data_pending(x,y) |
|
63 |
|
64 +#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4" |
|
65 + |
|
66 #endif /* USE_SSLEAY */ |
|
67 #endif /* __SSLUSE_H */ |
|