Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a

author Bodo Möller <bodo@openssl.org>

Mon, 19 Feb 2007 18:35:45 +0000 (18:35 +0000)

committer Bodo Möller <bodo@openssl.org>

Mon, 19 Feb 2007 18:35:45 +0000 (18:35 +0000)
author Bodo Möller <bodo@openssl.org>
Mon, 19 Feb 2007 18:35:45 +0000 (18:35 +0000)
committer Bodo Möller <bodo@openssl.org>
Mon, 19 Feb 2007 18:35:45 +0000 (18:35 +0000)
diff --git a/CHANGES b/CHANGES

index 2af9dfad71d09aa56dfdd5a1840d1cbf1af3c6ee..e32b08cff41cc3e1752687b972cbb63ef089ac20 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
  
   Changes between 0.9.7l and 0.9.7m  [xx XXX xxxx]
  
+  *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
+     a ciphersuite string such as "DEFAULT:RSA" cannot enable
+     authentication-only ciphersuites.
+     [Bodo Moeller]
+
    *) Since AES128 and AES256 share a single mask bit in the logic of
       ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
       kludge to work properly if AES128 is available and AES256 isn't.
diff --git a/ssl/ssl.h b/ssl/ssl.h

index 99e188086b9af651ad8fd72fcdfa1ff1744105bf..37f8d0171b992de9b7aecc55ec85eb0d5e3ef3f5 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -303,7 +303,7 @@ extern "C" {
  /* The following cipher list is used by default.
   * It also is substituted when an application-defined cipher list string
   * starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST        "ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */
+#define SSL_DEFAULT_CIPHER_LIST        "ALL:!aNULL:!eNULL+RC4:@STRENGTH" /* low priority for RC4 */
  
  /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
  #define SSL_SENT_SHUTDOWN      1
author	Bodo Möller <bodo@openssl.org>
	Mon, 19 Feb 2007 18:35:45 +0000 (18:35 +0000)
committer	Bodo Möller <bodo@openssl.org>
	Mon, 19 Feb 2007 18:35:45 +0000 (18:35 +0000)
CHANGES		patch \| blob \| history
ssl/ssl.h		patch \| blob \| history