19426049 remove export cipher suites from OpenSSL preference list for lynx
authorRich Burridge <rich.burridge@oracle.com>
Wed, 11 Mar 2015 08:28:16 -0700
changeset 3934 eb6d9a880b40
parent 3932 1b7dd68f6aa9
child 3936 c344422ee38b
19426049 remove export cipher suites from OpenSSL preference list for lynx
components/lynx/patches/03-weak-ciphers-by-default.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/lynx/patches/03-weak-ciphers-by-default.patch	Wed Mar 11 08:28:16 2015 -0700
@@ -0,0 +1,43 @@
+By default even recent versions of OpenSSL support and accept both
+"export strength" ciphers, small-bitsize ciphers as well as downright
+deprecated ones.
+
+This change sets a default cipher selection that tries to avoid the
+worst ones, and subsequently it makes https://www.howsmyssl.com/a/check
+no longer grade lynx/OpenSSL connects as 'Bad'.
+
+This change will be passed upstream.
+
+--- lynx2-8-8/WWW/Library/Implementation/HTTP.h.orig	2015-03-10 08:40:16.089217608 -0700
++++ lynx2-8-8/WWW/Library/Implementation/HTTP.h	2015-03-10 08:41:05.590224096 -0700
[email protected]@ -21,6 +21,8 @@
+     GLOBALREF HTProtocol HTTPS;
+ #endif				/* GLOBALREF_IS_MACRO */
+ 
++#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4"
++
+ #define URL_GET_METHOD  1
+ #define URL_POST_METHOD 2
+ #define URL_MAIL_METHOD 3
+--- lynx2-8-8/WWW/Library/Implementation/HTTP.c.orig	2015-03-10 08:40:31.459735465 -0700
++++ lynx2-8-8/WWW/Library/Implementation/HTTP.c	2015-03-10 08:53:29.358186971 -0700
[email protected]@ -105,6 +105,8 @@
+ 
+ SSL *HTGetSSLHandle(void)
+ {
++    char *ciphers;
++
+ #ifdef USE_GNUTLS_INCL
+     static char *certfile = NULL;
+ #endif
[email protected]@ -121,6 +123,10 @@
+ 	ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+ 	/* Always disable SSLv2 & SSLv3 to "mitigate POODLE vulnerability". */
+ 	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
++
++	ciphers = (char *)DEFAULT_CIPHER_SELECTION;
++	SSL_CTX_set_cipher_list(ssl_ctx, ciphers);
++
+ #ifdef SSL_OP_NO_COMPRESSION
+ 	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION);
+ #endif