OpenSSL: lower priority for CBC ciphers in default cipherlist

[people/stevee/ipfire-2.x.git] / src / patches / openssl-1.1.1c-default-cipherlist.patch

diff --git a/src/patches/openssl-1.1.1a-default-cipherlist.patch b/src/patches/openssl-1.1.1c-default-cipherlist.patch
similarity index 66%
rename from src/patches/openssl-1.1.1a-default-cipherlist.patch
rename to src/patches/openssl-1.1.1c-default-cipherlist.patch
index dfe156bf56f61085500769fb7623238134bafe0d..72f6ce3b1d596e09dd99092ee86b74b0cff51dfc 100644 (file)
--- a/src/patches/openssl-1.1.1a-default-cipherlist.patch
+++ b/src/patches/openssl-1.1.1c-default-cipherlist.patch
@@ -1,11 +1,12 @@
---- openssl-1.1.1.orig/include/openssl/ssl.h   2018-09-11 14:48:23.000000000 +0200
-+++ openssl-1.1.1/include/openssl/ssl.h        2018-11-05 16:55:03.935513159 +0100
+diff -Naur openssl-1.1.1c.orig/include/openssl/ssl.h openssl-1.1.1c/include/openssl/ssl.h
+--- openssl-1.1.1c.orig/include/openssl/ssl.h  2019-06-10 20:41:21.209140012 +0200
++++ openssl-1.1.1c/include/openssl/ssl.h       2019-06-10 20:42:26.733973129 +0200
 @@ -170,11 +170,11 @@
   * an application-defined cipher list string starts with 'DEFAULT'.
   * This applies to ciphersuites for TLSv1.2 and below.
   */
 -# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
-+# define SSL_DEFAULT_CIPHER_LIST "TLSv1.3:CHACHA20:HIGH:+DH:+aRSA:+SHA:+kRSA:!aNULL:!eNULL:!SRP:!PSK:!DSS:!AESCCM"
++# define SSL_DEFAULT_CIPHER_LIST "CHACHA20:HIGH:+aRSA:+SHA384:+SHA256:+DH:+SHA:+kRSA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS"
  /* This is the default set of TLSv1.3 ciphersuites */
  # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
 -#  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
@@ -15,4 +16,3 @@
                                     "TLS_AES_128_GCM_SHA256"
  # else
  #  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
-