Mercurial Mercurial > upstream > oracle > userland-gate / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default s11-update
authorRich Burridge <rich.burridge@oracle.com>
Wed, 23 Jul 2014 06:05:53 -0700
branchs11-update
changeset 3226 759d38fe157b
parent 3225 7bbaa2f97cd1
child 3227 281a940a917d
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
components/curl/patches/014-OpenSSL-deselect-weak-ciphers-by-default.patch file | annotate | diff | comparison | revisions 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/014-OpenSSL-deselect-weak-ciphers-by-default.patch	Wed Jul 23 06:05:53 2014 -0700
@@ -0,0 +1,67 @@
+From 30e24c74774ef642f6d34638bb2b701877c7ce93 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <[email protected]>
+Date: Sat, 11 Jan 2014 00:05:19 +0100
+Subject: [PATCH] OpenSSL: deselect weak ciphers by default
+
+By default even recent versions of OpenSSL supports and accepts both
+"export strength" ciphers, small-bitsize ciphers as well as downright
+deprecated ones.
+
+This change sets a default cipher selection that tries to avoid the
+worst ones, and subsequently it makes https://www.howsmyssl.com/a/check
+no longer grade curl/OpenSSL connects as 'Bad'.
+
+Bug: http://curl.haxx.se/bug/view.cgi?id=1323
+Reported-by: Jeff Hodges
+
+(Note that we have an older version of curl, and the required changes need
+to be made to .../lib/ssluse.[c,h] not .../lib/vtls/openssl.[c,h].)
+
+--- lib/ssluse.c.orig	2014-07-08 07:13:52.002064381 -0700
++++ lib/ssluse.c	2014-07-08 07:18:11.256793811 -0700
[email protected]@ -1422,6 +1422,7 @@
+ {
+   CURLcode retcode = CURLE_OK;
+ 
++  char *ciphers;
+   struct SessionHandle *data = conn->data;
+   SSL_METHOD_QUAL SSL_METHOD *req_method=NULL;
+   void *ssl_sessionid=NULL;
[email protected]@ -1556,12 +1557,12 @@
+     }
+   }
+ 
+-  if(data->set.str[STRING_SSL_CIPHER_LIST]) {
+-    if(!SSL_CTX_set_cipher_list(connssl->ctx,
+-                                data->set.str[STRING_SSL_CIPHER_LIST])) {
+-      failf(data, "failed setting cipher list");
+-      return CURLE_SSL_CIPHER;
+-    }
++  ciphers = data->set.str[STRING_SSL_CIPHER_LIST];
++  if(!ciphers)
++    ciphers = (char *)DEFAULT_CIPHER_SELECTION;
++  if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) {
++    failf(data, "failed setting cipher list: %s", ciphers);
++    return CURLE_SSL_CIPHER;
+   }
+ 
+   if(data->set.str[STRING_SSL_CAFILE] || data->set.str[STRING_SSL_CAPATH]) {
+--- lib/ssluse.h.orig	2014-07-08 07:13:58.481773165 -0700
++++ lib/ssluse.h	2014-07-08 07:16:39.119426762 -0700
[email protected]@ -7,7 +7,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2010, Daniel Stenberg, <[email protected]>, et al.
++ * Copyright (C) 1998 - 2014, Daniel Stenberg, <[email protected]>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
[email protected]@ -80,5 +80,7 @@
+ #define curlssl_check_cxn Curl_ossl_check_cxn
+ #define curlssl_data_pending(x,y) Curl_ossl_data_pending(x,y)
+ 
++#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4"
++
+ #endif /* USE_SSLEAY */
+ #endif /* __SSLUSE_H */
upstream/oracle/userland-gate