From: Bodo Möller <bodo@openssl.org>
Date: Wed, 21 Feb 2007 09:33:14 +0000 (+0000)
Subject: prefer SHA1 over MD5 (this affects the Kerberos ciphersuites)
X-Git-Tag: OpenSSL_0_9_8k^2~962
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=aa79dd6895bb2d26b69d2df3b6355beb77fda089;p=oweals%2Fopenssl.git

prefer SHA1 over MD5 (this affects the Kerberos ciphersuites)
---

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 666d44d34a..9b5a2648f6 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1180,12 +1180,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 	ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
 	ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
 
-	/* Temporarily enable AES first (preferred cipher) */
+	/* AES is our preferred symmetric cipher */
 	ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
 
-	/* Temporarily enable everything else */
+	/* Temporarily enable everything else for sorting */
 	ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
 
+	/* Low priority for MD5 */
+	ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head, &tail);
+
 	/* Move anonymous ciphers to the end.  Usually, these will remain disabled.
 	 * (For applications that allow them, they aren't too bad, but we prefer
 	 * authenticated ciphers.) */