]> git.ipfire.org Git - ipfire-2.x.git/blame - src/patches/openssl-1.1.1c-default-cipherlist.patch
projects / ipfire-2.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
OpenSSL: lower priority for CBC ciphers in default cipherlist
[ipfire-2.x.git] / src / patches / openssl-1.1.1c-default-cipherlist.patch
CommitLineData
69772b7d
PM		 1diff -Naur openssl-1.1.1c.orig/include/openssl/ssl.h openssl-1.1.1c/include/openssl/ssl.h
2--- openssl-1.1.1c.orig/include/openssl/ssl.h 2019-06-10 20:41:21.209140012 +0200
3+++ openssl-1.1.1c/include/openssl/ssl.h 2019-06-10 20:42:26.733973129 +0200
32ba4314
EK		 4@@ -170,11 +170,11 @@
5 * an application-defined cipher list string starts with 'DEFAULT'.
6 * This applies to ciphersuites for TLSv1.2 and below.
7 */
8-# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
69772b7d 9+# define SSL_DEFAULT_CIPHER_LIST "CHACHA20:HIGH:+aRSA:+SHA384:+SHA256:+DH:+SHA:+kRSA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS"
32ba4314
EK		 10 /* This is the default set of TLSv1.3 ciphersuites */
11 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
12-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
13- "TLS_CHACHA20_POLY1305_SHA256:" \
14+# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
15+ "TLS_AES_256_GCM_SHA384:" \
16 "TLS_AES_128_GCM_SHA256"
17 # else
18 # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
IPFire 2.x development tree