aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls/openssl.c
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2014-01-11 00:05:19 +0100
committerDaniel Stenberg <daniel@haxx.se>2014-01-12 00:14:01 +0100
commit3b5c75ef3d609584daef44ebbf2a592a966cbd6b (patch)
tree908853486ced794876df28a799fc151047cc68bf /lib/vtls/openssl.c
parent3b183df9cc781b329ca409ded1ea336530624715 (diff)
OpenSSL: deselect weak ciphers by default
By default even recent versions of OpenSSL support and accept both "export strength" ciphers, small-bitsize ciphers as well as downright deprecated ones. This change sets a default cipher set that avoids the worst ciphers, and subsequently makes https://www.howsmyssl.com/a/check no longer grade curl/OpenSSL connects as 'Bad'. Bug: http://curl.haxx.se/bug/view.cgi?id=1323 Reported-by: Jeff Hodges
Diffstat (limited to 'lib/vtls/openssl.c')
-rw-r--r--lib/vtls/openssl.c14
1 files changed, 7 insertions, 7 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index dba5256d5..e83738f60 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1404,7 +1404,7 @@ ossl_connect_step1(struct connectdata *conn,
int sockindex)
{
CURLcode retcode = CURLE_OK;
-
+ char *ciphers;
struct SessionHandle *data = conn->data;
SSL_METHOD_QUAL SSL_METHOD *req_method=NULL;
void *ssl_sessionid=NULL;
@@ -1629,12 +1629,12 @@ ossl_connect_step1(struct connectdata *conn,
}
}
- if(data->set.str[STRING_SSL_CIPHER_LIST]) {
- if(!SSL_CTX_set_cipher_list(connssl->ctx,
- data->set.str[STRING_SSL_CIPHER_LIST])) {
- failf(data, "failed setting cipher list");
- return CURLE_SSL_CIPHER;
- }
+ ciphers = data->set.str[STRING_SSL_CIPHER_LIST];
+ if(!ciphers)
+ ciphers = (char *)DEFAULT_CIPHER_SELECTION;
+ if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) {
+ failf(data, "failed setting cipher list: %s", ciphers);
+ return CURLE_SSL_CIPHER;
}
#ifdef USE_TLS_SRP
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-04 20:39:58 +0000