OpenSSL: deselect weak ciphers by default

By default even recent versions of OpenSSL support and accept both "export strength" ciphers, small-bitsize ciphers as well as downright deprecated ones. This change sets a default cipher set that avoids the worst ciphers, and subsequently makes https://www.howsmyssl.com/a/check no longer grade curl/OpenSSL connects as 'Bad'. Bug: http://curl.haxx.se/bug/view.cgi?id=1323 Reported-by: Jeff Hodges
author: Daniel Stenberg <daniel@haxx.se> 2014-01-11 00:05:19 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2014-01-12 00:14:01 +0100
commit: 3b5c75ef3d609584daef44ebbf2a592a966cbd6b (patch)
tree: 908853486ced794876df28a799fc151047cc68bf /lib/vtls/openssl.h
parent: 3b183df9cc781b329ca409ded1ea336530624715 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/vtls/openssl.h b/lib/vtls/openssl.h
index f3b0f967c..07448b50b 100644
--- a/lib/vtls/openssl.h
+++ b/lib/vtls/openssl.h
@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -95,5 +95,7 @@ void Curl_ossl_md5sum(unsigned char *tmp, /* input */
 #define curlssl_random(x,y,z) Curl_ossl_random(x,y,z)
 #define curlssl_md5sum(a,b,c,d) Curl_ossl_md5sum(a,b,c,d)
 
+#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4"
+
 #endif /* USE_SSLEAY */
 #endif /* HEADER_CURL_SSLUSE_H */
author	Daniel Stenberg <daniel@haxx.se>	2014-01-11 00:05:19 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2014-01-12 00:14:01 +0100
commit	3b5c75ef3d609584daef44ebbf2a592a966cbd6b (patch)
tree	908853486ced794876df28a799fc151047cc68bf /lib/vtls/openssl.h
parent	3b183df9cc781b329ca409ded1ea336530624715 (diff)