Hi. In Fedora we are moving to a system-wide policy of used ciphers. [1] Therefore we need wget to be compiled with other than hard-coded set of ciphers when using OpenSSL.
I'm attaching patch adding new configure option --with-openssl-ciphers-list=LIST, which can be used to redefine the ciphers list when compiled with OpenSSL. It can be used only if --with-ssl=openssl. If not defined, the previously used (by wget) ciphers list is used. [1] https://fedoraproject.org/wiki/Changes/CryptoPolicy Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com
From cc3bf4d8f1819a864944b18190881d40ee7b9955 Mon Sep 17 00:00:00 2001 From: Tomas Hozza <[email protected]> Date: Mon, 7 Jul 2014 13:20:52 +0200 Subject: [PATCH] Add configure option --with-openssl-ciphers-list Allow the users to redefine the ciphers list used when compiled with OpenSSL. This is usable for distributions, that distribute wget as binary package and want to use own system-wide ciphers list. Signed-off-by: Tomas Hozza <[email protected]> --- ChangeLog | 5 +++++ configure.ac | 13 +++++++++++++ src/ChangeLog | 5 +++++ src/openssl.c | 6 +++++- 4 files changed, 28 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 2bfae67..8a1ff73 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2014-07-07 Tomas Hozza <[email protected]> + + * configure.ac: Add --with-openssl-ciphers-list to allow redefining the + ciphers list when using OpenSSL. + 2014-06-28 Giuseppe Scrivano <[email protected]> * cfg.mk (local-checks-to-skip): Remove some checks. diff --git a/configure.ac b/configure.ac index abc92fb..9fcb563 100644 --- a/configure.ac +++ b/configure.ac @@ -69,6 +69,12 @@ AC_ARG_WITH(ssl, [[ --without-ssl disable SSL autodetection --with-ssl={gnutls,openssl} specify the SSL backend. GNU TLS is the default.]]) +AC_ARG_WITH([openssl-ciphers-list], +[ --with-openssl-ciphers-list=LIST Use SSL cipers list for OpenSSL defined as + an argument.], +[with_openssl_ciphers_list="$withval"], +[with_openssl_ciphers_list=no]) + AC_ARG_WITH(zlib, [[ --without-zlib disable zlib ]]) @@ -364,6 +370,13 @@ else fi fi +# check which ciphers list should be used for OpenSSL +AS_IF([test x"$with_openssl_ciphers_list" != xno], [ + AS_IF([test x"$with_ssl" != xopenssl], [ + AC_MSG_ERROR([--with-openssl-ciphers-list can be used only with --with-ssl=openssl]) + ]) + AC_DEFINE_UNQUOTED([OPENSSL_CIPHERS_LIST], ["$with_openssl_ciphers_list"], [Use defined ciphers list for OpenSSL]) +]) dnl ********************************************************************** dnl Checks for IPv6 diff --git a/src/ChangeLog b/src/ChangeLog index 6360303..bfeafa5 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2014-07-07 Tomas Hozza <[email protected]> + + * openssl.c: Add definition of OPENSSL_CIPHERS_LIST + * openssl.c (ssl_init): Use the predefined OPENSSL_CIPHERS_LIST + 2014-07-05 Darshit Shah <[email protected]> * cookies.c (check_domain_match): Libpsl requires that all domain names diff --git a/src/openssl.c b/src/openssl.c index 879b27e..18ba21d 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -50,6 +50,10 @@ as that of the covered work. */ # include <w32sock.h> #endif +#ifndef OPENSSL_CIPHERS_LIST +# define OPENSSL_CIPHERS_LIST "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:!aNULL@STRENGTH" +#endif + /* Application-wide SSL context. This is common to all SSL connections. */ static SSL_CTX *ssl_ctx; @@ -223,7 +227,7 @@ ssl_init (void) * Since we want a good protection, we also use HIGH (that excludes MD4 ciphers and some more) */ if (opt.secure_protocol == secure_protocol_pfs) - SSL_CTX_set_cipher_list (ssl_ctx, "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:!aNULL@STRENGTH"); + SSL_CTX_set_cipher_list (ssl_ctx, OPENSSL_CIPHERS_LIST); SSL_CTX_set_default_verify_paths (ssl_ctx); SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory); -- 1.9.3
