19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
authorRich Burridge <rich.burridge@oracle.com>
Wed, 02 Jul 2014 14:04:37 -0700
changeset 1980 aa71e25d90c5
parent 1979 bdbb0de8834e
child 1981 66b174f4707e
19138667 libcurl enables weak 40-bit crypto algorithms in SSL by default
components/curl/patches/013-OpenSSL-deselect-weak-ciphers-by-default.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/013-OpenSSL-deselect-weak-ciphers-by-default.patch	Wed Jul 02 14:04:37 2014 -0700
@@ -0,0 +1,67 @@
+From 30e24c74774ef642f6d34638bb2b701877c7ce93 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <[email protected]>
+Date: Sat, 11 Jan 2014 00:05:19 +0100
+Subject: [PATCH] OpenSSL: deselect weak ciphers by default
+
+By default even recent versions of OpenSSL supports and accepts both
+"export strength" ciphers, small-bitsize ciphers as well as downright
+deprecated ones.
+
+This change sets a default cipher selection that tries to avoid the
+worst ones, and subsequently it makes https://www.howsmyssl.com/a/check
+no longer grade curl/OpenSSL connects as 'Bad'.
+
+Bug: http://curl.haxx.se/bug/view.cgi?id=1323
+Reported-by: Jeff Hodges
+
+(Note that we have an older version of curl, and the required changes need
+to be made to .../lib/ssluse.[c,h] not .../lib/vtls/openssl.[c,h].)
+
+--- lib/ssluse.c.orig	2014-07-02 05:55:41.737906072 -0700
++++ lib/ssluse.c	2014-07-02 06:01:36.893672485 -0700
[email protected]@ -1439,6 +1439,7 @@
+ {
+   CURLcode retcode = CURLE_OK;
+ 
++  char *ciphers;
+   struct SessionHandle *data = conn->data;
+   SSL_METHOD_QUAL SSL_METHOD *req_method=NULL;
+   void *ssl_sessionid=NULL;
[email protected]@ -1614,12 +1615,12 @@
+     }
+   }
+ 
+-  if(data->set.str[STRING_SSL_CIPHER_LIST]) {
+-    if(!SSL_CTX_set_cipher_list(connssl->ctx,
+-                                data->set.str[STRING_SSL_CIPHER_LIST])) {
+-      failf(data, "failed setting cipher list");
+-      return CURLE_SSL_CIPHER;
+-    }
++  ciphers = data->set.str[STRING_SSL_CIPHER_LIST];
++  if(!ciphers)
++    ciphers = (char *)DEFAULT_CIPHER_SELECTION;
++  if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) {
++    failf(data, "failed setting cipher list: %s", ciphers);
++    return CURLE_SSL_CIPHER;
+   }
+ 
+ #ifdef USE_TLS_SRP
+--- lib/ssluse.h.orig	2014-07-02 06:01:57.665442588 -0700
++++ lib/ssluse.h	2014-07-02 06:03:19.437812328 -0700
[email protected]@ -7,7 +7,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2010, Daniel Stenberg, <[email protected]>, et al.
++ * Copyright (C) 1998 - 2014, Daniel Stenberg, <[email protected]>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
[email protected]@ -83,5 +83,7 @@
+ #define curlssl_check_cxn Curl_ossl_check_cxn
+ #define curlssl_data_pending(x,y) Curl_ossl_data_pending(x,y)
+ 
++#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4"
++
+ #endif /* USE_SSLEAY */
+ #endif /* HEADER_CURL_SSLUSE_H */