aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
diff options
context:
space:
mode:
authorKamil Dudka <kdudka@redhat.com>2017-08-30 14:12:10 +0200
committerKamil Dudka <kdudka@redhat.com>2017-09-05 12:13:38 +0200
commitea142a837e6931c73f2f0effaabbbe389a6510ac (patch)
tree1a9f8e0b27db971baa6ea4ce3c6fbc60c3ac621f /lib/vtls
parent25fc694a410043cf0fdb8725685e1426b3093d43 (diff)
openssl: use OpenSSL's default ciphers by default
Up2date versions of OpenSSL maintain the default reasonably secure without breaking compatibility, so it is better not to override the default by curl. Suggested at https://bugzilla.redhat.com/1483972 Closes #1846
Diffstat (limited to 'lib/vtls')
-rw-r--r--lib/vtls/openssl.c18
1 files changed, 14 insertions, 4 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 394ce2e3d..c42143a85 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -154,8 +154,16 @@ static unsigned long OpenSSL_version_num(void)
#define OSSL_PACKAGE "OpenSSL"
#endif
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+/* up2date versions of OpenSSL maintain the default reasonably secure without
+ * breaking compatibility, so it is better not to override the default by curl
+ */
+#define DEFAULT_CIPHER_SELECTION NULL
+#else
+/* ... but it is not the case with old versions of OpenSSL */
#define DEFAULT_CIPHER_SELECTION \
"ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH"
+#endif
struct ssl_backend_data {
/* these ones requires specific SSL-types */
@@ -2116,11 +2124,13 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
ciphers = SSL_CONN_CONFIG(cipher_list);
if(!ciphers)
ciphers = (char *)DEFAULT_CIPHER_SELECTION;
- if(!SSL_CTX_set_cipher_list(BACKEND->ctx, ciphers)) {
- failf(data, "failed setting cipher list: %s", ciphers);
- return CURLE_SSL_CIPHER;
+ if(ciphers) {
+ if(!SSL_CTX_set_cipher_list(BACKEND->ctx, ciphers)) {
+ failf(data, "failed setting cipher list: %s", ciphers);
+ return CURLE_SSL_CIPHER;
+ }
+ infof(data, "Cipher selection: %s\n", ciphers);
}
- infof(data, "Cipher selection: %s\n", ciphers);
#ifdef USE_TLS_SRP
if(ssl_authtype == CURL_TLSAUTH_SRP) {