|
1 By default even recent versions of OpenSSL support and accept both |
|
2 "export strength" ciphers, small-bitsize ciphers as well as downright |
|
3 deprecated ones. |
|
4 |
|
5 This change sets a default cipher selection that tries to avoid the |
|
6 worst ones, and subsequently it makes https://www.howsmyssl.com/a/check |
|
7 no longer grade lynx/OpenSSL connects as 'Bad'. |
|
8 |
|
9 This change will be passed upstream. |
|
10 |
|
11 --- lynx2-8-8/WWW/Library/Implementation/HTTP.h.orig 2015-03-10 08:40:16.089217608 -0700 |
|
12 +++ lynx2-8-8/WWW/Library/Implementation/HTTP.h 2015-03-10 08:41:05.590224096 -0700 |
|
13 @@ -21,6 +21,8 @@ |
|
14 GLOBALREF HTProtocol HTTPS; |
|
15 #endif /* GLOBALREF_IS_MACRO */ |
|
16 |
|
17 +#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4" |
|
18 + |
|
19 #define URL_GET_METHOD 1 |
|
20 #define URL_POST_METHOD 2 |
|
21 #define URL_MAIL_METHOD 3 |
|
22 --- lynx2-8-8/WWW/Library/Implementation/HTTP.c.orig 2015-03-10 08:40:31.459735465 -0700 |
|
23 +++ lynx2-8-8/WWW/Library/Implementation/HTTP.c 2015-03-10 08:53:29.358186971 -0700 |
|
24 @@ -105,6 +105,8 @@ |
|
25 |
|
26 SSL *HTGetSSLHandle(void) |
|
27 { |
|
28 + char *ciphers; |
|
29 + |
|
30 #ifdef USE_GNUTLS_INCL |
|
31 static char *certfile = NULL; |
|
32 #endif |
|
33 @@ -121,6 +123,10 @@ |
|
34 ssl_ctx = SSL_CTX_new(SSLv23_client_method()); |
|
35 /* Always disable SSLv2 & SSLv3 to "mitigate POODLE vulnerability". */ |
|
36 SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); |
|
37 + |
|
38 + ciphers = (char *)DEFAULT_CIPHER_SELECTION; |
|
39 + SSL_CTX_set_cipher_list(ssl_ctx, ciphers); |
|
40 + |
|
41 #ifdef SSL_OP_NO_COMPRESSION |
|
42 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION); |
|
43 #endif |