mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-03-19 19:50:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

Don't build RC4 ciphersuites into libssl by default

Browse Source 
RC4 based ciphersuites in libssl have been disabled by default. They can
be added back by building OpenSSL with the "enable-weak-ssl-ciphers"
Configure option at compile time.

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Matt Caswell 2016-03-03 15:40:51 +00:00
parent f04abe7d50
commit 8b1a5af389
4 changed files with 43 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@ -4,6 +4,11 @@
Changes between 1.0.2g and 1.1.0 [xx XXX xxxx]
*) RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
disabled by default. They can be re-enabled using the
enable-weak-ssl-ciphers option to Configure.
[Matt Caswell]
*) If the server has ALPN configured, but supports no protocols that the
client advertises, send a fatal "no_application_protocol" alert.
This behaviour is SHALL in RFC 7301, though it isn't universally

29
Configure
View File

@ -57,6 +57,9 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lx
# library and will be loaded in run-time by the OpenSSL library.
# sctp include SCTP support
# 386 generate 80386 code
# enable-weak-ssl-ciphers
# Enable weak ciphers that are disabled by default. This currently
# only includes RC4 based ciphers.
# no-sse2 disables IA-32 SSE2 code, above option implies no-sse2
# no-<cipher> build without specified algorithm (rsa, idea, rc5, ...)
# -<xxx> +<xxx> compiler options are passed through
@ -313,6 +316,7 @@ my @disablables = (
"ui",
"unit-test",
"whirlpool",
"weak-ssl-ciphers",
"zlib",
"zlib-dynamic",
);
@ -330,18 +334,19 @@ my @deprecated_disablables = (
our %disabled = ( # "what" => "comment"
"ec_nistp_64_gcc_128" => "default",
"egd" => "default",
"md2" => "default",
"rc5" => "default",
"sctp" => "default",
"shared" => "default",
"ssl-trace" => "default",
"static-engine" => "default",
"unit-test" => "default",
"zlib" => "default",
"zlib-dynamic" => "default",
"crypto-mdebug" => "default",
"heartbeats" => "default",
"egd" => "default",
"md2" => "default",
"rc5" => "default",
"sctp" => "default",
"shared" => "default",
"ssl-trace" => "default",
"static-engine" => "default",
"unit-test" => "default",
"weak-ssl-ciphers" => "default",
"zlib" => "default",
"zlib-dynamic" => "default",
"crypto-mdebug" => "default",
"heartbeats" => "default",
);
# Note: => pair form used for aesthetics, not to truly make a hash table

5
doc/apps/ciphers.pod
View File

@ -144,9 +144,10 @@ When used, this must be the first cipherstring specified.
=item B<COMPLEMENTOFDEFAULT>
The ciphers included in B<ALL>, but not enabled by default. Currently
this includes all RC4, DES, RC2 and anonymous ciphers. Note that this rule does
this includes all RC4 and anonymous ciphers. Note that this rule does
not cover B<eNULL>, which is not included by B<ALL> (use B<COMPLEMENTOFALL> if
necessary).
necessary). Note that RC4 based ciphersuites are not built into OpenSSL by
default (see the enable-weak-ssl-ciphers option to Configure).
=item B<ALL>

18
ssl/s3_lib.c
View File

@ -195,6 +195,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher 04 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_RSA_RC4_128_MD5,
@ -225,6 +226,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif
/* Cipher 07 */
#ifndef OPENSSL_NO_IDEA
@ -293,6 +295,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher 18 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_ADH_RC4_128_MD5,
@ -307,6 +310,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif
/* Cipher 1B */
{
@ -813,6 +817,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
#ifndef OPENSSL_NO_PSK
/* PSK ciphersuites from RFC 4279 */
/* Cipher 8A */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_PSK_WITH_RC4_128_SHA,
@ -827,6 +832,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif
/* Cipher 8B */
{
@ -877,6 +883,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher 8E */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_DHE_PSK_WITH_RC4_128_SHA,
@ -891,6 +898,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif
/* Cipher 8F */
{
@ -941,6 +949,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher 92 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_RSA_PSK_WITH_RC4_128_SHA,
@ -955,6 +964,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif
/* Cipher 93 */
{
@ -1646,6 +1656,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher C007 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
@ -1660,6 +1671,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif
/* Cipher C008 */
{
@ -1726,6 +1738,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher C011 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
@ -1740,6 +1753,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif
/* Cipher C012 */
{
@ -1806,6 +1820,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher C016 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
@ -1820,6 +1835,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif
/* Cipher C017 */
{
@ -2152,6 +2168,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
/* PSK ciphersuites from RFC 5489 */
/* Cipher C033 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA,
@ -2166,6 +2183,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif
/* Cipher C034 */
{