[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 151/256: openssl: use OpenSSL's default ciphers by
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnurl] 151/256: openssl: use OpenSSL's default ciphers by default |
Date: |
Fri, 06 Oct 2017 19:44:02 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit ea142a837e6931c73f2f0effaabbbe389a6510ac
Author: Kamil Dudka <address@hidden>
AuthorDate: Wed Aug 30 14:12:10 2017 +0200
openssl: use OpenSSL's default ciphers by default
Up2date versions of OpenSSL maintain the default reasonably secure
without breaking compatibility, so it is better not to override the
default by curl. Suggested at https://bugzilla.redhat.com/1483972
Closes #1846
---
lib/vtls/openssl.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 394ce2e3d..c42143a85 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -154,8 +154,16 @@ static unsigned long OpenSSL_version_num(void)
#define OSSL_PACKAGE "OpenSSL"
#endif
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+/* up2date versions of OpenSSL maintain the default reasonably secure without
+ * breaking compatibility, so it is better not to override the default by curl
+ */
+#define DEFAULT_CIPHER_SELECTION NULL
+#else
+/* ... but it is not the case with old versions of OpenSSL */
#define DEFAULT_CIPHER_SELECTION \
"ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH"
+#endif
struct ssl_backend_data {
/* these ones requires specific SSL-types */
@@ -2116,11 +2124,13 @@ static CURLcode ossl_connect_step1(struct connectdata
*conn, int sockindex)
ciphers = SSL_CONN_CONFIG(cipher_list);
if(!ciphers)
ciphers = (char *)DEFAULT_CIPHER_SELECTION;
- if(!SSL_CTX_set_cipher_list(BACKEND->ctx, ciphers)) {
- failf(data, "failed setting cipher list: %s", ciphers);
- return CURLE_SSL_CIPHER;
+ if(ciphers) {
+ if(!SSL_CTX_set_cipher_list(BACKEND->ctx, ciphers)) {
+ failf(data, "failed setting cipher list: %s", ciphers);
+ return CURLE_SSL_CIPHER;
+ }
+ infof(data, "Cipher selection: %s\n", ciphers);
}
- infof(data, "Cipher selection: %s\n", ciphers);
#ifdef USE_TLS_SRP
if(ssl_authtype == CURL_TLSAUTH_SRP) {
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 101/256: HELP-US.md: spelling, (continued)
- [GNUnet-SVN] [gnurl] 101/256: HELP-US.md: spelling, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 64/256: vtls: make sure every _sha256sum()'s first arg is const, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 139/256: RELEASE-NOTES: fixed the function counter script, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 117/256: curl_global_sslset: select backend by name case insensitively, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 110/256: cyassl: call it the "WolfSSL" backend, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 119/256: http: fix a memory leakage in checkrtspprefix()., gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 112/256: curl_global_sslset.3: show the struct and enum too, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 123/256: runtests.pl: allow <file[1-4]> tags in client section., gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 95/256: asyn-thread: Set errno to the proper value ENOMEM in OOM situation, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 114/256: strcase: corrected comment header for Curl_strcasecompare(), gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 151/256: openssl: use OpenSSL's default ciphers by default,
gnunet <=
- [GNUnet-SVN] [gnurl] 156/256: runtests.pl: support attribute "nonewline" in part verify/upload., gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 66/256: vtls: declare Curl_ssl structs for every SSL backend, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 36/256: scripts/contri*sh: use "git log --use-mailmap", gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 141/256: test1135: fixed after bd8070085f9, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 70/256: vtls: convert the have_curlssl_* constants to runtime flags, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 104/256: curl_global_sslset.3: clarify, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 118/256: ossfuzz: Move to C++ for curl_fuzzer., gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 129/256: mime: fix some implicit curl_off_t --> size_t conversion warnings., gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 106/256: makefile.m32: add multissl support, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 85/256: vtls: refactor out essential information about the SSL backends, gnunet, 2017/10/06