Hi,
This patch set is meant to remove ephemeral RSA support from the master branch,
and disable (weak) export ciphers by default. While coding I came along some
other stuff I fixed along the way:
1/6: Update two old calls to TSLv1*() functions to SSLv23*() function, matching
the TLS negotiation changes. This patch should be applied to both
release/2.3 and master branches.
2/6: Update debug output to match the TLS negatiotiation changes. This patch
should be applied to both release/2.3 and master branches.
3/6: Make --show-tls parse information retrieved from --tls-cipher options, to
ease debugging and configuration. I think this one belongs in both
release/2.3 and master too.
4/6: Remove the ephemeral RSA key generation callback, as discussed on the
mailinglist. This patch is for master only.
5/6: Preparation for 6/6, makes tls_ctx_restrict_ciphers accept a NULL pointer
for the cipher_list parameter, in which case it will use default settings
(which for now is 'do nothing'). This one could go into release/2.3,
because it doesn't really change anything, but is not really needed there
as 6/6 is master-only.
6/6: Disable export ciphers for OpenSSL builds. This is to avoid confusion,
because otherwise the export ciphers that require ephemeral RSA would still
be printed by --show-tls. Furthermore, export cipher are deliberately weak
and much better alternatives are available. This patch is for master only.
I've tried to exhaustively comment on the changes in the commit messages, but
if there are any remaining questions I'm happy to answer them.
-Steffan
