From 3b5c75ef3d609584daef44ebbf2a592a966cbd6b Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 11 Jan 2014 00:05:19 +0100 Subject: [PATCH] OpenSSL: deselect weak ciphers by default By default even recent versions of OpenSSL support and accept both "export strength" ciphers, small-bitsize ciphers as well as downright deprecated ones. This change sets a default cipher set that avoids the worst ciphers, and subsequently makes https://www.howsmyssl.com/a/check no longer grade curl/OpenSSL connects as 'Bad'. Bug: http://curl.haxx.se/bug/view.cgi?id=1323 Reported-by: Jeff Hodges --- lib/vtls/openssl.c | 14 +++++++------- lib/vtls/openssl.h | 4 +++- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index dba5256..e83738f 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -1404,7 +1404,7 @@ ossl_connect_step1(struct connectdata *conn, int sockindex) { CURLcode retcode = CURLE_OK; - + char *ciphers; struct SessionHandle *data = conn->data; SSL_METHOD_QUAL SSL_METHOD *req_method=NULL; void *ssl_sessionid=NULL; @@ -1629,12 +1629,12 @@ ossl_connect_step1(struct connectdata *conn, } } - if(data->set.str[STRING_SSL_CIPHER_LIST]) { - if(!SSL_CTX_set_cipher_list(connssl->ctx, - data->set.str[STRING_SSL_CIPHER_LIST])) { - failf(data, "failed setting cipher list"); - return CURLE_SSL_CIPHER; - } + ciphers = data->set.str[STRING_SSL_CIPHER_LIST]; + if(!ciphers) + ciphers = (char *)DEFAULT_CIPHER_SELECTION; + if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) { + failf(data, "failed setting cipher list: %s", ciphers); + return CURLE_SSL_CIPHER; } #ifdef USE_TLS_SRP diff --git a/lib/vtls/openssl.h b/lib/vtls/openssl.h index f3b0f96..07448b5 100644 --- a/lib/vtls/openssl.h +++ b/lib/vtls/openssl.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2013, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2014, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -95,5 +95,7 @@ void Curl_ossl_md5sum(unsigned char *tmp, /* input */ #define curlssl_random(x,y,z) Curl_ossl_random(x,y,z) #define curlssl_md5sum(a,b,c,d) Curl_ossl_md5sum(a,b,c,d) +#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4" + #endif /* USE_SSLEAY */ #endif /* HEADER_CURL_SSLUSE_H */ -- 2.7.4