[GNUnet-SVN] [gnurl] 151/256: openssl: use OpenSSL's default ciphers by

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-SVN] [gnurl] 151/256: openssl: use OpenSSL's default ciphers by

From:	gnunet
Subject:	[GNUnet-SVN] [gnurl] 151/256: openssl: use OpenSSL's default ciphers by default
Date:	Fri, 06 Oct 2017 19:44:02 +0200

This is an automated email from the git hooks/post-receive script.

ng0 pushed a commit to branch master
in repository gnurl.

commit ea142a837e6931c73f2f0effaabbbe389a6510ac
Author: Kamil Dudka <address@hidden>
AuthorDate: Wed Aug 30 14:12:10 2017 +0200

    openssl: use OpenSSL's default ciphers by default
    
    Up2date versions of OpenSSL maintain the default reasonably secure
    without breaking compatibility, so it is better not to override the
    default by curl.  Suggested at https://bugzilla.redhat.com/1483972
    
    Closes #1846
---
 lib/vtls/openssl.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 394ce2e3d..c42143a85 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -154,8 +154,16 @@ static unsigned long OpenSSL_version_num(void)
 #define OSSL_PACKAGE "OpenSSL"
 #endif
 
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+/* up2date versions of OpenSSL maintain the default reasonably secure without
+ * breaking compatibility, so it is better not to override the default by curl
+ */
+#define DEFAULT_CIPHER_SELECTION NULL
+#else
+/* ... but it is not the case with old versions of OpenSSL */
 #define DEFAULT_CIPHER_SELECTION \
   "ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH"
+#endif
 
 struct ssl_backend_data {
   /* these ones requires specific SSL-types */
@@ -2116,11 +2124,13 @@ static CURLcode ossl_connect_step1(struct connectdata 
*conn, int sockindex)
   ciphers = SSL_CONN_CONFIG(cipher_list);
   if(!ciphers)
     ciphers = (char *)DEFAULT_CIPHER_SELECTION;
-  if(!SSL_CTX_set_cipher_list(BACKEND->ctx, ciphers)) {
-    failf(data, "failed setting cipher list: %s", ciphers);
-    return CURLE_SSL_CIPHER;
+  if(ciphers) {
+    if(!SSL_CTX_set_cipher_list(BACKEND->ctx, ciphers)) {
+      failf(data, "failed setting cipher list: %s", ciphers);
+      return CURLE_SSL_CIPHER;
+    }
+    infof(data, "Cipher selection: %s\n", ciphers);
   }
-  infof(data, "Cipher selection: %s\n", ciphers);
 
 #ifdef USE_TLS_SRP
   if(ssl_authtype == CURL_TLSAUTH_SRP) {

-- 
To stop receiving notification emails like this one, please contact
address@hidden

[Prev in Thread]

Current Thread

[Next in Thread]

[GNUnet-SVN] [gnurl] 101/256: HELP-US.md: spelling, (continued)
- [GNUnet-SVN] [gnurl] 101/256: HELP-US.md: spelling, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 64/256: vtls: make sure every _sha256sum()'s first arg is const, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 139/256: RELEASE-NOTES: fixed the function counter script, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 117/256: curl_global_sslset: select backend by name case insensitively, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 110/256: cyassl: call it the "WolfSSL" backend, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 119/256: http: fix a memory leakage in checkrtspprefix()., gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 112/256: curl_global_sslset.3: show the struct and enum too, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 123/256: runtests.pl: allow <file[1-4]> tags in client section., gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 95/256: asyn-thread: Set errno to the proper value ENOMEM in OOM situation, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 114/256: strcase: corrected comment header for Curl_strcasecompare(), gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 151/256: openssl: use OpenSSL's default ciphers by default, gnunet <=
- [GNUnet-SVN] [gnurl] 156/256: runtests.pl: support attribute "nonewline" in part verify/upload., gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 66/256: vtls: declare Curl_ssl structs for every SSL backend, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 36/256: scripts/contri*sh: use "git log --use-mailmap", gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 141/256: test1135: fixed after bd8070085f9, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 70/256: vtls: convert the have_curlssl_* constants to runtime flags, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 104/256: curl_global_sslset.3: clarify, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 118/256: ossfuzz: Move to C++ for curl_fuzzer., gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 129/256: mime: fix some implicit curl_off_t --> size_t conversion warnings., gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 106/256: makefile.m32: add multissl support, gnunet, 2017/10/06
- [GNUnet-SVN] [gnurl] 85/256: vtls: refactor out essential information about the SSL backends, gnunet, 2017/10/06

Prev by Date: [GNUnet-SVN] [gnurl] 114/256: strcase: corrected comment header for Curl_strcasecompare()
Next by Date: [GNUnet-SVN] [gnurl] 156/256: runtests.pl: support attribute "nonewline" in part verify/upload.
Previous by thread: [GNUnet-SVN] [gnurl] 114/256: strcase: corrected comment header for Curl_strcasecompare()
Next by thread: [GNUnet-SVN] [gnurl] 156/256: runtests.pl: support attribute "nonewline" in part verify/upload.
Index(es):
- Date
- Thread