OpenSSL: deselect weak ciphers by default

By default even recent versions of OpenSSL support and accept both
"export strength" ciphers, small-bitsize ciphers as well as downright
deprecated ones.

This change sets a default cipher set that avoids the worst ciphers, and
subsequently makes https://www.howsmyssl.com/a/check no longer grade
curl/OpenSSL connects as 'Bad'.

Bug: http://curl.haxx.se/bug/view.cgi?id=1323
Reported-by: Jeff Hodges

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index dba5256d525060db107d479af5166b17b9559d15..e83738f60604fb48a753206580d7f01305bbe5d3 100644 (file)
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1404,7 +1404,7 @@ ossl_connect_step1(struct connectdata *conn,
                    int sockindex)
 {
   CURLcode retcode = CURLE_OK;
-
+  char *ciphers;
   struct SessionHandle *data = conn->data;
   SSL_METHOD_QUAL SSL_METHOD *req_method=NULL;
   void *ssl_sessionid=NULL;
@@ -1629,12 +1629,12 @@ ossl_connect_step1(struct connectdata *conn,
     }
   }
 
-  if(data->set.str[STRING_SSL_CIPHER_LIST]) {
-    if(!SSL_CTX_set_cipher_list(connssl->ctx,
-                                data->set.str[STRING_SSL_CIPHER_LIST])) {
-      failf(data, "failed setting cipher list");
-      return CURLE_SSL_CIPHER;
-    }
+  ciphers = data->set.str[STRING_SSL_CIPHER_LIST];
+  if(!ciphers)
+    ciphers = (char *)DEFAULT_CIPHER_SELECTION;
+  if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) {
+    failf(data, "failed setting cipher list: %s", ciphers);
+    return CURLE_SSL_CIPHER;
   }
 
 #ifdef USE_TLS_SRP

diff --git a/lib/vtls/openssl.h b/lib/vtls/openssl.h
index f3b0f967c2c9092583aa7e28c574febbc13485d6..07448b50b4975430c9cd6cd20472a31d2c76440c 100644 (file)
--- a/lib/vtls/openssl.h
+++ b/lib/vtls/openssl.h
@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -95,5 +95,7 @@ void Curl_ossl_md5sum(unsigned char *tmp, /* input */
 #define curlssl_random(x,y,z) Curl_ossl_random(x,y,z)
 #define curlssl_md5sum(a,b,c,d) Curl_ossl_md5sum(a,b,c,d)
 
+#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4"
+
 #endif /* USE_SSLEAY */
 #endif /* HEADER_CURL_SSLUSE_H */