Mercurial Mercurial > upstream > oracle > userland-gate / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/curl/patches/013-OpenSSL-deselect-weak-ciphers-by-default.patch
changeset 2151 8977d970976a
parent 2150 1acc968ac0d9
child 2152 1cea7a430dd7 
--- a/components/curl/patches/013-OpenSSL-deselect-weak-ciphers-by-default.patch	Tue Oct 14 13:47:57 2014 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,67 +0,0 @@
-From 30e24c74774ef642f6d34638bb2b701877c7ce93 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <[email protected]>
-Date: Sat, 11 Jan 2014 00:05:19 +0100
-Subject: [PATCH] OpenSSL: deselect weak ciphers by default
-
-By default even recent versions of OpenSSL supports and accepts both
-"export strength" ciphers, small-bitsize ciphers as well as downright
-deprecated ones.
-
-This change sets a default cipher selection that tries to avoid the
-worst ones, and subsequently it makes https://www.howsmyssl.com/a/check
-no longer grade curl/OpenSSL connects as 'Bad'.
-
-Bug: http://curl.haxx.se/bug/view.cgi?id=1323
-Reported-by: Jeff Hodges
-
-(Note that we have an older version of curl, and the required changes need
-to be made to .../lib/ssluse.[c,h] not .../lib/vtls/openssl.[c,h].)
-
---- lib/ssluse.c.orig	2014-07-02 05:55:41.737906072 -0700
-+++ lib/ssluse.c	2014-07-02 06:01:36.893672485 -0700
-@@ -1439,6 +1439,7 @@
- {
-   CURLcode retcode = CURLE_OK;
- 
-+  char *ciphers;
-   struct SessionHandle *data = conn->data;
-   SSL_METHOD_QUAL SSL_METHOD *req_method=NULL;
-   void *ssl_sessionid=NULL;
-@@ -1614,12 +1615,12 @@
-     }
-   }
- 
--  if(data->set.str[STRING_SSL_CIPHER_LIST]) {
--    if(!SSL_CTX_set_cipher_list(connssl->ctx,
--                                data->set.str[STRING_SSL_CIPHER_LIST])) {
--      failf(data, "failed setting cipher list");
--      return CURLE_SSL_CIPHER;
--    }
-+  ciphers = data->set.str[STRING_SSL_CIPHER_LIST];
-+  if(!ciphers)
-+    ciphers = (char *)DEFAULT_CIPHER_SELECTION;
-+  if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) {
-+    failf(data, "failed setting cipher list: %s", ciphers);
-+    return CURLE_SSL_CIPHER;
-   }
- 
- #ifdef USE_TLS_SRP
---- lib/ssluse.h.orig	2014-07-02 06:01:57.665442588 -0700
-+++ lib/ssluse.h	2014-07-02 06:03:19.437812328 -0700
-@@ -7,7 +7,7 @@
-  *                            | (__| |_| |  _ <| |___
-  *                             \___|\___/|_| \_\_____|
-  *
-- * Copyright (C) 1998 - 2010, Daniel Stenberg, <[email protected]>, et al.
-+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <[email protected]>, et al.
-  *
-  * This software is licensed as described in the file COPYING, which
-  * you should have received as part of this distribution. The terms
-@@ -83,5 +83,7 @@
- #define curlssl_check_cxn Curl_ossl_check_cxn
- #define curlssl_data_pending(x,y) Curl_ossl_data_pending(x,y)
- 
-+#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4"
-+
- #endif /* USE_SSLEAY */
- #endif /* HEADER_CURL_SSLUSE_H */
upstream/oracle/userland-gate