Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 3 Mar 2015 23:21:28 -0800
From:      Doug Hardie <bc979@lafn.org>
To:        "freebsd-questions@freebsd.org Questions" <freebsd-questions@freebsd.org>
Subject:   OpenSSL Ciphers
Message-ID:  <5347DC2D-AD6C-41A1-AEC7-A81C51F691B3@lafn.org>

next in thread | raw e-mail | index | archive | help
The default list of ciphers is quite extensive and includes some that =
are apparently causing some potential security issues.  I have a number =
of applications that use OpenSSL and many don=E2=80=99t have the code to =
restrict the list.  Fixing all that would take quite a bit of work.  =
However, looking into /usr/include/openssl/ssl.h I find a definition for =
the SSL_DEFAULT_CIPHER_LIST.  The comments indicate that that list is =
the one used when the application doesn=E2=80=99t specify anything.  I =
changed its definition to:

#define SSL_DEFAULT_CIPHER_LIST =
"TLSv1+HIGH:!SSLv2:RC4+MEDIUM:!aNULL:!eNULL:!3DES:@STRENGTH:

However, s_connect will still create a connection with the export =
ciphers.  I tried adding !EXPORT to that list and it had no effect.  Is =
the definition actually used by openssl or is it just there for =
documentation?=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5347DC2D-AD6C-41A1-AEC7-A81C51F691B3>