1 From 30e24c74774ef642f6d34638bb2b701877c7ce93 Mon Sep 17 00:00:00 2001

     2 From: Daniel Stenberg <[email protected]>

     3 Date: Sat, 11 Jan 2014 00:05:19 +0100

     4 Subject: [PATCH] OpenSSL: deselect weak ciphers by default

     5 

     6 By default even recent versions of OpenSSL supports and accepts both

     7 "export strength" ciphers, small-bitsize ciphers as well as downright

     8 deprecated ones.

     9 

    10 This change sets a default cipher selection that tries to avoid the

    11 worst ones, and subsequently it makes https://www.howsmyssl.com/a/check

    12 no longer grade curl/OpenSSL connects as 'Bad'.

    13 

    14 Bug: http://curl.haxx.se/bug/view.cgi?id=1323

    15 Reported-by: Jeff Hodges

    16 

    17 (Note that we have an older version of curl, and the required changes need

    18 to be made to .../lib/ssluse.[c,h] not .../lib/vtls/openssl.[c,h].)

    19 

    20 --- lib/ssluse.c.orig	2014-07-08 07:13:52.002064381 -0700

    21 +++ lib/ssluse.c	2014-07-08 07:18:11.256793811 -0700

    22 @@ -1422,6 +1422,7 @@

    23  {

    24    CURLcode retcode = CURLE_OK;

    25  

    26 +  char *ciphers;

    27    struct SessionHandle *data = conn->data;

    28    SSL_METHOD_QUAL SSL_METHOD *req_method=NULL;

    29    void *ssl_sessionid=NULL;

    30 @@ -1556,12 +1557,12 @@

    31      }

    32    }

    33  

    34 -  if(data->set.str[STRING_SSL_CIPHER_LIST]) {

    35 -    if(!SSL_CTX_set_cipher_list(connssl->ctx,

    36 -                                data->set.str[STRING_SSL_CIPHER_LIST])) {

    37 -      failf(data, "failed setting cipher list");

    38 -      return CURLE_SSL_CIPHER;

    39 -    }

    40 +  ciphers = data->set.str[STRING_SSL_CIPHER_LIST];

    41 +  if(!ciphers)

    42 +    ciphers = (char *)DEFAULT_CIPHER_SELECTION;

    43 +  if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) {

    44 +    failf(data, "failed setting cipher list: %s", ciphers);

    45 +    return CURLE_SSL_CIPHER;

    46    }

    47  

    48    if(data->set.str[STRING_SSL_CAFILE] || data->set.str[STRING_SSL_CAPATH]) {

    49 --- lib/ssluse.h.orig	2014-07-08 07:13:58.481773165 -0700

    50 +++ lib/ssluse.h	2014-07-08 07:16:39.119426762 -0700

    51 @@ -7,7 +7,7 @@

    52   *                            | (__| |_| |  _ <| |___

    53   *                             \___|\___/|_| \_\_____|

    54   *

    55 - * Copyright (C) 1998 - 2010, Daniel Stenberg, <[email protected]>, et al.

    56 + * Copyright (C) 1998 - 2014, Daniel Stenberg, <[email protected]>, et al.

    57   *

    58   * This software is licensed as described in the file COPYING, which

    59   * you should have received as part of this distribution. The terms

    60 @@ -80,5 +80,7 @@

    61  #define curlssl_check_cxn Curl_ossl_check_cxn

    62  #define curlssl_data_pending(x,y) Curl_ossl_data_pending(x,y)

    63  

    64 +#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4"

    65 +

    66  #endif /* USE_SSLEAY */

    67  #endif /* __SSLUSE_H */