Drop null-auth suites from our default TLS cipher list

Previously we disallowed anonymous Diffie-Hellman, but there are other
kinds of null-authentication TLS suites.  In particular, disallowing
AECDH is important now that we support elliptic-curve Diffie-Hellman.

diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
index f298792ea18456d587f88bd82b2188a728a0547f..20dc4b4dfd3da6fb2abf3d93d7e8068eca9a6708 100644 (file)
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
@@ -202,7 +202,7 @@ void tls_set_default(tls_issues_t *i)
   i->key = i->key ? i->key : i->cert;
   i->randFile = i->randFile ? i->randFile : "tls_seed.dat";
   i->CAfile = i->CAfile ? i->CAfile : "cafile.pem";
-  i->ciphers = i->ciphers ? i->ciphers : "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH";
+  i->ciphers = i->ciphers ? i->ciphers : "!eNULL:!aNULL:!EXP:!LOW:!MD5:ALL:@STRENGTH";
   /* Default SIP cipher */
   /* "RSA-WITH-AES-128-CBC-SHA"; */
   /* RFC-2543-compatibility ciphersuite */

diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h
index 0d806e7204a6b467f897d767f4253d9e2d7d140a..e7ad51841aae0ffc579b8c7f23c35e19a423c38c 100644 (file)
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h
@@ -61,7 +61,7 @@ typedef struct tls_issues_s {
   char *CAfile;                /* PEM file of CA's                           */
   char *CApath;                /* PEM file path of CA's                      */
   char *ciphers;         /* Should be one of the above defined ciphers *
-                        * or NULL (default: "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
+                        * or NULL (default: !eNULL:!aNULL:!EXP:!LOW:!MD5:ALL:@STRENGTH)
                          */
   int   version;       /* For tls1, version is 1. When ssl3/ssl2 is
                         * used, it is 0. */