# HG changeset patch
# User Rich Burridge <rich.burridge@oracle.com>
# Date 1406319928 25200
# Node ID 5f64fead3ff714ecb6a49bcf1f81c2a2110216f7
# Parent  0b2103aa01c781aa1bada349cb6b64b644ac5979
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default

diff -r 0b2103aa01c7 -r 5f64fead3ff7 components/curl/patches/014-OpenSSL-deselect-weak-ciphers-by-default.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/014-OpenSSL-deselect-weak-ciphers-by-default.patch	Fri Jul 25 13:25:28 2014 -0700
@@ -0,0 +1,67 @@
+From 30e24c74774ef642f6d34638bb2b701877c7ce93 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 11 Jan 2014 00:05:19 +0100
+Subject: [PATCH] OpenSSL: deselect weak ciphers by default
+
+By default even recent versions of OpenSSL supports and accepts both
+"export strength" ciphers, small-bitsize ciphers as well as downright
+deprecated ones.
+
+This change sets a default cipher selection that tries to avoid the
+worst ones, and subsequently it makes https://www.howsmyssl.com/a/check
+no longer grade curl/OpenSSL connects as 'Bad'.
+
+Bug: http://curl.haxx.se/bug/view.cgi?id=1323
+Reported-by: Jeff Hodges
+
+(Note that we have an older version of curl, and the required changes need
+to be made to .../lib/ssluse.[c,h] not .../lib/vtls/openssl.[c,h].)
+
+--- lib/ssluse.c.orig	2014-07-08 07:13:52.002064381 -0700
++++ lib/ssluse.c	2014-07-08 07:18:11.256793811 -0700
+@@ -1422,6 +1422,7 @@
+ {
+   CURLcode retcode = CURLE_OK;
+ 
++  char *ciphers;
+   struct SessionHandle *data = conn->data;
+   SSL_METHOD_QUAL SSL_METHOD *req_method=NULL;
+   void *ssl_sessionid=NULL;
+@@ -1556,12 +1557,12 @@
+     }
+   }
+ 
+-  if(data->set.str[STRING_SSL_CIPHER_LIST]) {
+-    if(!SSL_CTX_set_cipher_list(connssl->ctx,
+-                                data->set.str[STRING_SSL_CIPHER_LIST])) {
+-      failf(data, "failed setting cipher list");
+-      return CURLE_SSL_CIPHER;
+-    }
++  ciphers = data->set.str[STRING_SSL_CIPHER_LIST];
++  if(!ciphers)
++    ciphers = (char *)DEFAULT_CIPHER_SELECTION;
++  if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) {
++    failf(data, "failed setting cipher list: %s", ciphers);
++    return CURLE_SSL_CIPHER;
+   }
+ 
+   if(data->set.str[STRING_SSL_CAFILE] || data->set.str[STRING_SSL_CAPATH]) {
+--- lib/ssluse.h.orig	2014-07-08 07:13:58.481773165 -0700
++++ lib/ssluse.h	2014-07-08 07:16:39.119426762 -0700
+@@ -7,7 +7,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2010, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -80,5 +80,7 @@
+ #define curlssl_check_cxn Curl_ossl_check_cxn
+ #define curlssl_data_pending(x,y) Curl_ossl_data_pending(x,y)
+ 
++#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4"
++
+ #endif /* USE_SSLEAY */
+ #endif /* __SSLUSE_H */