# HG changeset patch # User Rich Burridge # Date 1426087696 25200 # Node ID eb6d9a880b4010ad6ac8cbc91e2adacafa3a70d4 # Parent 1b7dd68f6aa9dc5e79e139da94a341ddbb0e6d0b 19426049 remove export cipher suites from OpenSSL preference list for lynx diff -r 1b7dd68f6aa9 -r eb6d9a880b40 components/lynx/patches/03-weak-ciphers-by-default.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/lynx/patches/03-weak-ciphers-by-default.patch Wed Mar 11 08:28:16 2015 -0700 @@ -0,0 +1,43 @@ +By default even recent versions of OpenSSL support and accept both +"export strength" ciphers, small-bitsize ciphers as well as downright +deprecated ones. + +This change sets a default cipher selection that tries to avoid the +worst ones, and subsequently it makes https://www.howsmyssl.com/a/check +no longer grade lynx/OpenSSL connects as 'Bad'. + +This change will be passed upstream. + +--- lynx2-8-8/WWW/Library/Implementation/HTTP.h.orig 2015-03-10 08:40:16.089217608 -0700 ++++ lynx2-8-8/WWW/Library/Implementation/HTTP.h 2015-03-10 08:41:05.590224096 -0700 +@@ -21,6 +21,8 @@ + GLOBALREF HTProtocol HTTPS; + #endif /* GLOBALREF_IS_MACRO */ + ++#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4" ++ + #define URL_GET_METHOD 1 + #define URL_POST_METHOD 2 + #define URL_MAIL_METHOD 3 +--- lynx2-8-8/WWW/Library/Implementation/HTTP.c.orig 2015-03-10 08:40:31.459735465 -0700 ++++ lynx2-8-8/WWW/Library/Implementation/HTTP.c 2015-03-10 08:53:29.358186971 -0700 +@@ -105,6 +105,8 @@ + + SSL *HTGetSSLHandle(void) + { ++ char *ciphers; ++ + #ifdef USE_GNUTLS_INCL + static char *certfile = NULL; + #endif +@@ -121,6 +123,10 @@ + ssl_ctx = SSL_CTX_new(SSLv23_client_method()); + /* Always disable SSLv2 & SSLv3 to "mitigate POODLE vulnerability". */ + SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); ++ ++ ciphers = (char *)DEFAULT_CIPHER_SELECTION; ++ SSL_CTX_set_cipher_list(ssl_ctx, ciphers); ++ + #ifdef SSL_OP_NO_COMPRESSION + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION); + #endif