update default cipherlist patch for OpenSSL 1.1.1
[people/pmueller/ipfire-2.x.git] / src / patches / openssl-1.1.1-default-cipherlist.patch
1 --- openssl-1.1.1.orig/include/openssl/ssl.h    2018-09-11 14:48:23.000000000 +0200
2 +++ openssl-1.1.1/include/openssl/ssl.h 2018-11-05 16:55:03.935513159 +0100
3 @@ -170,11 +170,11 @@
4   * an application-defined cipher list string starts with 'DEFAULT'.
5   * This applies to ciphersuites for TLSv1.2 and below.
6   */
7 -# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
8 +# define SSL_DEFAULT_CIPHER_LIST "TLSv1.3:CHACHA20:HIGH:+DH:+aRSA:+SHA:+kRSA:!aNULL:!eNULL:!SRP:!PSK:!DSS:!AESCCM"
9  /* This is the default set of TLSv1.3 ciphersuites */
10  # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
11 -#  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
12 -                                   "TLS_CHACHA20_POLY1305_SHA256:" \
13 +#  define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
14 +                                   "TLS_AES_256_GCM_SHA384:" \
15                                     "TLS_AES_128_GCM_SHA256"
16  # else
17  #  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \