[people/pmueller/ipfire-2.x.git] / src / patches / openssl-1.1.0g-weak-ciphers.patch

--- openssl-1.1.0g-orig/include/openssl/ssl.h	2017-11-02 15:29:05.000000000 +0100
+++ openssl-1.1.0g/include/openssl/ssl.h	2018-02-27 18:23:43.522649728 +0100
@@ -194,7 +194,7 @@
  * The following cipher list is used by default. It also is substituted when
  * an application-defined cipher list string starts with 'DEFAULT'.
  */
-# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+# define SSL_DEFAULT_CIPHER_LIST "kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+kRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!kECDH:!IDEA:!SEED:!RC4:!kDH:!DSS"
 /*
  * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
  * starts with a reasonable order, and all we have to do for DEFAULT is
Commit	Line	Data
59294934 PMD	1	--- openssl-1.1.0g-orig/include/openssl/ssl.h 2017-11-02 15:29:05.000000000 +0100
	2	+++ openssl-1.1.0g/include/openssl/ssl.h 2018-02-27 18:23:43.522649728 +0100
	3	@@ -194,7 +194,7 @@
	4	* The following cipher list is used by default. It also is substituted when
	5	* an application-defined cipher list string starts with 'DEFAULT'.
	6	*/
	7	-# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
	8	+# define SSL_DEFAULT_CIPHER_LIST "kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+kRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!kECDH:!IDEA:!SEED:!RC4:!kDH:!DSS"
	9	/*
	10	* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
	11	* starts with a reasonable order, and all we have to do for DEFAULT is