Date: Tue, 3 Mar 2015 23:21:28 -0800 From: Doug Hardie <bc979@lafn.org> To: "freebsd-questions@freebsd.org Questions" <freebsd-questions@freebsd.org> Subject: OpenSSL Ciphers Message-ID: <5347DC2D-AD6C-41A1-AEC7-A81C51F691B3@lafn.org>
next in thread | raw e-mail | index | archive | help
The default list of ciphers is quite extensive and includes some that are apparently causing some potential security issues. I have a number of applications that use OpenSSL and many don’t have the code to restrict the list. Fixing all that would take quite a bit of work. However, looking into /usr/include/openssl/ssl.h I find a definition for the SSL_DEFAULT_CIPHER_LIST. The comments indicate that that list is the one used when the application doesn’t specify anything. I changed its definition to: #define SSL_DEFAULT_CIPHER_LIST "TLSv1+HIGH:!SSLv2:RC4+MEDIUM:!aNULL:!eNULL:!3DES:@STRENGTH: However, s_connect will still create a connection with the export ciphers. I tried adding !EXPORT to that list and it had no effect. Is the definition actually used by openssl or is it just there for documentation?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5347DC2D-AD6C-41A1-AEC7-A81C51F691B3>