- For #1227: if we have sha256, set the cipher list to have no

  known vulns.

git-svn-id: file:///svn/unbound/trunk@4030 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/daemon/remote.c b/daemon/remote.c
index abde9e4e688305514b33aa440b8dce92fc3765ce..b61dfaf1d39e5d81a3ed1536aa01a01929e722f3 100644 (file)
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -260,8 +260,11 @@ daemon_remote_create(struct config_file* cfg)
                return NULL;
        }
 #endif
-       if(!SSL_CTX_set_cipher_list(rc->ctx, "DEFAULT:!CAMELLIA128:!CAMELLIA256:!SEED:!IDEA:!RC4:!3DES:!DES:!MD5:!SHA:!sect283k1:!sect283r1:!sect409k1:!sect409r1:!sect571k1:!sect571r1:!secp256k1:!brainpoolP256r1:!brainpoolP384r1:!brainpoolP512r1"))
+#ifdef SHA256_DIGEST_LENGTH
+       /* if we have sha256, set the cipher list to have no known vulns */
+       if(!SSL_CTX_set_cipher_list(rc->ctx, "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
                log_crypto_err("coult not set cipher list with SSL_CTX_set_cipher_list");
+#endif
 
        if (cfg->remote_control_use_cert == 0) {
                /* No certificates are requested */

diff --git a/doc/Changelog b/doc/Changelog
index 24e08c95a2f8f1ab296f80d4a9ba8e00b3b69a6f..70f1fe8ee4b9252ea35a5ff4989cfc8355a202c2 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+28 February 2017: Wouter
+       - For #1227: if we have sha256, set the cipher list to have no
+         known vulns.
+
 27 February 2017: Wouter
        - Fix #1227: Fix that Unbound control allows weak ciphersuits.
        - Fix #1226: provide official 32bit binary for windows.