src/patches/openssl-1.1.1c-default-cipherlist.patch

   1 diff -Naur openssl-1.1.1c.orig/include/openssl/ssl.h openssl-1.1.1c/include/openssl/ssl.h
   2 --- openssl-1.1.1c.orig/include/openssl/ssl.h   2019-06-10 20:41:21.209140012 +0200
   3 +++ openssl-1.1.1c/include/openssl/ssl.h        2019-06-10 20:42:26.733973129 +0200
   4 @@ -170,11 +170,11 @@
   5   * an application-defined cipher list string starts with 'DEFAULT'.
   6   * This applies to ciphersuites for TLSv1.2 and below.
   7   */
   8 -# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
   9 +# define SSL_DEFAULT_CIPHER_LIST "CHACHA20:HIGH:+aRSA:+SHA384:+SHA256:+DH:+SHA:+kRSA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS"
  10  /* This is the default set of TLSv1.3 ciphersuites */
  11  # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
  12 -#  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
  13 -                                   "TLS_CHACHA20_POLY1305_SHA256:" \
  14 +#  define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
  15 +                                   "TLS_AES_256_GCM_SHA384:" \
  16                                     "TLS_AES_128_GCM_SHA256"
  17  # else
  18  #  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \