From: Bodo Möller <bodo@openssl.org>
Date: Mon, 19 Feb 2007 18:35:45 +0000 (+0000)
Subject: Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a
X-Git-Tag: OpenSSL_0_9_7m~12
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=3bd95a14ca76316e64e60c8e3f97a454eeb663bd;p=oweals%2Fopenssl.git

Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a
ciphersuite string such as "DEFAULT:RSA" cannot enable
authentication-only ciphersuites.
---

diff --git a/CHANGES b/CHANGES
index 2af9dfad71..e32b08cff4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
 
  Changes between 0.9.7l and 0.9.7m  [xx XXX xxxx]
 
+  *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
+     a ciphersuite string such as "DEFAULT:RSA" cannot enable
+     authentication-only ciphersuites.
+     [Bodo Moeller]
+
   *) Since AES128 and AES256 share a single mask bit in the logic of
      ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
      kludge to work properly if AES128 is available and AES256 isn't.
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 99e188086b..37f8d0171b 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -303,7 +303,7 @@ extern "C" {
 /* The following cipher list is used by default.
  * It also is substituted when an application-defined cipher list string
  * starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST	"ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */
+#define SSL_DEFAULT_CIPHER_LIST	"ALL:!aNULL:!eNULL+RC4:@STRENGTH" /* low priority for RC4 */
 
 /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
 #define SSL_SENT_SHUTDOWN	1