diff options
author | Daniel Stenberg <daniel@haxx.se> | 2014-01-11 00:05:19 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2014-01-12 00:14:01 +0100 |
commit | 3b5c75ef3d609584daef44ebbf2a592a966cbd6b (patch) | |
tree | 908853486ced794876df28a799fc151047cc68bf /lib/vtls/openssl.c | |
parent | 3b183df9cc781b329ca409ded1ea336530624715 (diff) |
OpenSSL: deselect weak ciphers by default
By default even recent versions of OpenSSL support and accept both
"export strength" ciphers, small-bitsize ciphers as well as downright
deprecated ones.
This change sets a default cipher set that avoids the worst ciphers, and
subsequently makes https://www.howsmyssl.com/a/check no longer grade
curl/OpenSSL connects as 'Bad'.
Bug: http://curl.haxx.se/bug/view.cgi?id=1323
Reported-by: Jeff Hodges
Diffstat (limited to 'lib/vtls/openssl.c')
-rw-r--r-- | lib/vtls/openssl.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index dba5256d5..e83738f60 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -1404,7 +1404,7 @@ ossl_connect_step1(struct connectdata *conn, int sockindex) { CURLcode retcode = CURLE_OK; - + char *ciphers; struct SessionHandle *data = conn->data; SSL_METHOD_QUAL SSL_METHOD *req_method=NULL; void *ssl_sessionid=NULL; @@ -1629,12 +1629,12 @@ ossl_connect_step1(struct connectdata *conn, } } - if(data->set.str[STRING_SSL_CIPHER_LIST]) { - if(!SSL_CTX_set_cipher_list(connssl->ctx, - data->set.str[STRING_SSL_CIPHER_LIST])) { - failf(data, "failed setting cipher list"); - return CURLE_SSL_CIPHER; - } + ciphers = data->set.str[STRING_SSL_CIPHER_LIST]; + if(!ciphers) + ciphers = (char *)DEFAULT_CIPHER_SELECTION; + if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) { + failf(data, "failed setting cipher list: %s", ciphers); + return CURLE_SSL_CIPHER; } #ifdef USE_TLS_SRP |