On Thu, 9 Jan 2014, Daniel Stenberg wrote:
#1323 - remove export cipher suites from OpenSSL preference list
https://sourceforge.net/p/curl/bugs/1323/
I'm thinking a fix like this. See attached.
--
/ daniel.haxx.se
From 30e24c74774ef642f6d34638bb2b701877c7ce93 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <[email protected]>
Date: Sat, 11 Jan 2014 00:05:19 +0100
Subject: [PATCH] OpenSSL: deselect weak ciphers by default
By default even recent versions of OpenSSL supports and accepts both
"export strength" ciphers, small-bitsize ciphers as well as downright
deprecated ones.
This change sets a default cipher selection that tries to avoid the
worst ones, and subsequently it makes https://www.howsmyssl.com/a/check
no longer grade curl/OpenSSL connects as 'Bad'.
Bug: http://curl.haxx.se/bug/view.cgi?id=1323
Reported-by: Jeff Hodges
---
lib/vtls/openssl.c | 14 +++++++-------
lib/vtls/openssl.h | 4 +++-
2 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index dba5256..e83738f 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1404,7 +1404,7 @@ ossl_connect_step1(struct connectdata *conn,
int sockindex)
{
CURLcode retcode = CURLE_OK;
-
+ char *ciphers;
struct SessionHandle *data = conn->data;
SSL_METHOD_QUAL SSL_METHOD *req_method=NULL;
void *ssl_sessionid=NULL;
@@ -1629,12 +1629,12 @@ ossl_connect_step1(struct connectdata *conn,
}
}
- if(data->set.str[STRING_SSL_CIPHER_LIST]) {
- if(!SSL_CTX_set_cipher_list(connssl->ctx,
- data->set.str[STRING_SSL_CIPHER_LIST])) {
- failf(data, "failed setting cipher list");
- return CURLE_SSL_CIPHER;
- }
+ ciphers = data->set.str[STRING_SSL_CIPHER_LIST];
+ if(!ciphers)
+ ciphers = (char *)DEFAULT_CIPHER_SELECTION;
+ if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) {
+ failf(data, "failed setting cipher list: %s", ciphers);
+ return CURLE_SSL_CIPHER;
}
#ifdef USE_TLS_SRP
diff --git a/lib/vtls/openssl.h b/lib/vtls/openssl.h
index f3b0f96..07448b5 100644
--- a/lib/vtls/openssl.h
+++ b/lib/vtls/openssl.h
@@ -7,7 +7,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <[email protected]>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <[email protected]>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -95,5 +95,7 @@ void Curl_ossl_md5sum(unsigned char *tmp, /* input */
#define curlssl_random(x,y,z) Curl_ossl_random(x,y,z)
#define curlssl_md5sum(a,b,c,d) Curl_ossl_md5sum(a,b,c,d)
+#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4"
+
#endif /* USE_SSLEAY */
#endif /* HEADER_CURL_SSLUSE_H */
--
1.8.5.2
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
