Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
+ *) Default cipher lists/suites are now avaialble via a function, the
+ #defines are deprecated.
+ [Todd Short]
+
*) Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and
VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries
for Windows Store apps easier. Also, the "no-uplink" option has been added.
SSL_CTX_set_cipher_list,
SSL_set_cipher_list,
SSL_CTX_set_ciphersuites,
-SSL_set_ciphersuites
+SSL_set_ciphersuites,
+OSSL_default_cipher_list,
+OSSL_default_ciphersuites
- choose list of available SSL_CIPHERs
=head1 SYNOPSIS
int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str);
int SSL_set_ciphersuites(SSL *s, const char *str);
+ const char *OSSL_default_cipher_list(void);
+ const char *OSSL_default_ciphersuites(void);
+
=head1 DESCRIPTION
SSL_CTX_set_cipher_list() sets the list of available ciphers (TLSv1.2 and below)
SSL_set_ciphersuites() is the same as SSL_CTX_set_ciphersuites() except it
configures the ciphersuites for B<ssl>.
+OSSL_default_cipher_list() returns the default cipher string for TLSv1.2
+(and earlier) ciphers. OSSL_default_ciphersuites() returns the default
+cipher string for TLSv1.3 ciphersuites.
+
=head1 NOTES
The control string B<str> for SSL_CTX_set_cipher_list() and
keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated
and the handshake will fail.
+OSSL_default_cipher_list() and OSSL_default_ciphersuites() replace
+SSL_DEFAULT_CIPHER_LIST and TLS_DEFAULT_CIPHERSUITES, respectively. The
+cipher list defines are deprecated as of 3.0.0.
+
=head1 RETURN VALUES
SSL_CTX_set_cipher_list() and SSL_set_cipher_list() return 1 if any cipher
L<SSL_CTX_set_tmp_dh_callback(3)>,
L<ciphers(1)>
+=head1 HISTORY
+
+OSSL_default_cipher_list() and OSSL_default_ciphersites() are new in 3.0.0.
+
=head1 COPYRIGHT
Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
* The following cipher list is used by default. It also is substituted when
* an application-defined cipher list string starts with 'DEFAULT'.
* This applies to ciphersuites for TLSv1.2 and below.
+ * DEPRECATED IN 3.0.0, in favor of OSSL_default_cipher_list()
+ * Update both macro and function simultaneously
*/
-# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
-/* This is the default set of TLSv1.3 ciphersuites */
-# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
- "TLS_CHACHA20_POLY1305_SHA256:" \
- "TLS_AES_128_GCM_SHA256"
-# else
-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
+# if !OPENSSL_API_3
+# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+/*
+ * This is the default set of TLSv1.3 ciphersuites
+ * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()
+ * Update both macro and function simultaneously
+ */
+# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
+# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
+ "TLS_CHACHA20_POLY1305_SHA256:" \
+ "TLS_AES_128_GCM_SHA256"
+# else
+# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
"TLS_AES_128_GCM_SHA256"
-#endif
+# endif
+# endif
/*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is
SSL_allow_early_data_cb_fn cb,
void *arg);
+/* store the default cipher strings inside the library */
+const char *OSSL_default_cipher_list(void);
+const char *OSSL_default_ciphersuites(void);
+
# ifdef __cplusplus
}
# endif
ok = 1;
rule_p = rule_str;
if (strncmp(rule_str, "DEFAULT", 7) == 0) {
- ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
+ ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(),
&head, &tail, ca_list, c);
rule_p += 7;
if (*rule_p == ':')
return 1;
return 0;
}
+
+/*
+ * Default list of TLSv1.2 (and earlier) ciphers
+ * SSL_DEFAULT_CIPHER_LIST deprecated in 3.0.0
+ * Update both macro and function simultaneously
+ */
+const char *OSSL_default_cipher_list(void)
+{
+ return "ALL:!COMPLEMENTOFDEFAULT:!eNULL";
+}
+
+/*
+ * Default list of TLSv1.3 (and later) ciphers
+ * TLS_DEFAULT_CIPHERSUITES deprecated in 3.0.0
+ * Update both macro and function simultaneously
+ */
+const char *OSSL_default_ciphersuites(void)
+{
+ return "TLS_AES_256_GCM_SHA384:"
+#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
+ "TLS_CHACHA20_POLY1305_SHA256:"
+#endif
+ "TLS_AES_128_GCM_SHA256";
+}
ctx->method = meth;
- if (!SSL_CTX_set_ciphersuites(ctx, TLS_DEFAULT_CIPHERSUITES)) {
+ if (!SSL_CTX_set_ciphersuites(ctx, OSSL_default_ciphersuites())) {
SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return 0;
}
ctx->tls13_ciphersuites,
&(ctx->cipher_list),
&(ctx->cipher_list_by_id),
- SSL_DEFAULT_CIPHER_LIST, ctx->cert);
+ OSSL_default_cipher_list(), ctx->cert);
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return 0;
goto err;
#endif
- if (!SSL_CTX_set_ciphersuites(ret, TLS_DEFAULT_CIPHERSUITES))
+ if (!SSL_CTX_set_ciphersuites(ret, OSSL_default_ciphersuites()))
goto err;
if (!ssl_create_cipher_list(ret->method,
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
- SSL_DEFAULT_CIPHER_LIST, ret->cert)
+ OSSL_default_cipher_list(), ret->cert)
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2;
SSL_set_async_callback_arg 505 3_0_0 EXIST::FUNCTION:
SSL_get_async_status 506 3_0_0 EXIST::FUNCTION:
SSL_sendfile 507 3_0_0 EXIST::FUNCTION:
+OSSL_default_cipher_list 508 3_0_0 EXIST::FUNCTION:
+OSSL_default_ciphersuites 509 3_0_0 EXIST::FUNCTION:
SSL_CTX_set_tlsext_ticket_key_cb define
SSL_CTX_set_tmp_dh define
SSL_CTX_set_tmp_ecdh define
+SSL_DEFAULT_CIPHER_LIST define deprecated 3.0.0
SSL_add0_chain_cert define
SSL_add1_chain_cert define
SSL_build_cert_chain define
SSLv23_client_method define
SSLv23_method define
SSLv23_server_method define
+TLS_DEFAULT_CIPHERSUITES define deprecated 3.0.0
X509_STORE_set_lookup_crls_cb define
X509_STORE_set_verify_func define
EVP_PKEY_CTX_set1_id define
projects / openssl / commitdiff