From 3bd95a14ca76316e64e60c8e3f97a454eeb663bd Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bodo=20M=C3=B6ller?= <bodo@openssl.org>
Date: Mon, 19 Feb 2007 18:35:45 +0000
Subject: [PATCH] Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
 a ciphersuite string such as "DEFAULT:RSA" cannot enable authentication-only
 ciphersuites.

---
 CHANGES   | 5 +++++
 ssl/ssl.h | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 2af9dfad71..e32b08cff4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
 
  Changes between 0.9.7l and 0.9.7m  [xx XXX xxxx]
 
+  *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
+     a ciphersuite string such as "DEFAULT:RSA" cannot enable
+     authentication-only ciphersuites.
+     [Bodo Moeller]
+
   *) Since AES128 and AES256 share a single mask bit in the logic of
      ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
      kludge to work properly if AES128 is available and AES256 isn't.
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 99e188086b..37f8d0171b 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -303,7 +303,7 @@ extern "C" {
 /* The following cipher list is used by default.
  * It also is substituted when an application-defined cipher list string
  * starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST	"ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */
+#define SSL_DEFAULT_CIPHER_LIST	"ALL:!aNULL:!eNULL+RC4:@STRENGTH" /* low priority for RC4 */
 
 /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
 #define SSL_SENT_SHUTDOWN	1
-- 
2.25.1