Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
8 个月 前同步成功

通知 8
Star 18
Fork 1
T
Third Party Openssl

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

提交 8b1a5af3 编写于 作者: M Matt Caswell
浏览文件
操作

Don't build RC4 ciphersuites into libssl by default 

RC4 based ciphersuites in libssl have been disabled by default. They can
be added back by building OpenSSL with the "enable-weak-ssl-ciphers"
Configure option at compile time.
Reviewed-by: NRich Salz <rsalz@openssl.org>
上级 f04abe7d
隐藏空白更改
内联 并排
Showing with 43 addition and 14 deletion
CHANGES
浏览文件 @ 8b1a5af3
......@@ -4,6 +4,11 @@
Changes between 1.0.2g and 1.1.0 [xx XXX xxxx]
*) RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
disabled by default. They can be re-enabled using the
enable-weak-ssl-ciphers option to Configure.
[Matt Caswell]
*) If the server has ALPN configured, but supports no protocols that the
client advertises, send a fatal "no_application_protocol" alert.
This behaviour is SHALL in RFC 7301, though it isn't universally
......
Configure
浏览文件 @ 8b1a5af3
......@@ -57,6 +57,9 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lx
# library and will be loaded in run-time by the OpenSSL library.
# sctp include SCTP support
# 386 generate 80386 code
# enable-weak-ssl-ciphers
# Enable weak ciphers that are disabled by default. This currently
# only includes RC4 based ciphers.
# no-sse2 disables IA-32 SSE2 code, above option implies no-sse2
# no-<cipher> build without specified algorithm (rsa, idea, rc5, ...)
# -<xxx> +<xxx> compiler options are passed through
......@@ -313,6 +316,7 @@ my @disablables = (
"ui",
"unit-test",
"whirlpool",
"weak-ssl-ciphers",
"zlib",
"zlib-dynamic",
);
......@@ -330,18 +334,19 @@ my @deprecated_disablables = (
our %disabled = ( # "what" => "comment"
"ec_nistp_64_gcc_128" => "default",
"egd" => "default",
"md2" => "default",
"rc5" => "default",
"sctp" => "default",
"shared" => "default",
"ssl-trace" => "default",
"static-engine" => "default",
"unit-test" => "default",
"zlib" => "default",
"zlib-dynamic" => "default",
"crypto-mdebug" => "default",
"heartbeats" => "default",
"egd" => "default",
"md2" => "default",
"rc5" => "default",
"sctp" => "default",
"shared" => "default",
"ssl-trace" => "default",
"static-engine" => "default",
"unit-test" => "default",
"weak-ssl-ciphers" => "default",
"zlib" => "default",
"zlib-dynamic" => "default",
"crypto-mdebug" => "default",
"heartbeats" => "default",
);
# Note: => pair form used for aesthetics, not to truly make a hash table
......
doc/apps/ciphers.pod
浏览文件 @ 8b1a5af3
......@@ -144,9 +144,10 @@ When used, this must be the first cipherstring specified.
=item B<COMPLEMENTOFDEFAULT>
The ciphers included in B<ALL>, but not enabled by default. Currently
this includes all RC4, DES, RC2 and anonymous ciphers. Note that this rule does
this includes all RC4 and anonymous ciphers. Note that this rule does
not cover B<eNULL>, which is not included by B<ALL> (use B<COMPLEMENTOFALL> if
necessary).
necessary). Note that RC4 based ciphersuites are not built into OpenSSL by
default (see the enable-weak-ssl-ciphers option to Configure).
=item B<ALL>
......
ssl/s3_lib.c
浏览文件 @ 8b1a5af3
......@@ -195,6 +195,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher 04 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_RSA_RC4_128_MD5,
......@@ -225,6 +226,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif
/* Cipher 07 */
#ifndef OPENSSL_NO_IDEA
......@@ -293,6 +295,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher 18 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_ADH_RC4_128_MD5,
......@@ -307,6 +310,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif
/* Cipher 1B */
{
......@@ -813,6 +817,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
#ifndef OPENSSL_NO_PSK
/* PSK ciphersuites from RFC 4279 */
/* Cipher 8A */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_PSK_WITH_RC4_128_SHA,
......@@ -827,6 +832,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif
/* Cipher 8B */
{
......@@ -877,6 +883,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher 8E */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_DHE_PSK_WITH_RC4_128_SHA,
......@@ -891,6 +898,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif
/* Cipher 8F */
{
......@@ -941,6 +949,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher 92 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_RSA_PSK_WITH_RC4_128_SHA,
......@@ -955,6 +964,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif
/* Cipher 93 */
{
......@@ -1646,6 +1656,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher C007 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
......@@ -1660,6 +1671,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif
/* Cipher C008 */
{
......@@ -1726,6 +1738,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher C011 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
......@@ -1740,6 +1753,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif
/* Cipher C012 */
{
......@@ -1806,6 +1820,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
},
/* Cipher C016 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
......@@ -1820,6 +1835,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif
/* Cipher C017 */
{
......@@ -2152,6 +2168,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
/* PSK ciphersuites from RFC 5489 */
/* Cipher C033 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA,
......@@ -2166,6 +2183,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif
/* Cipher C034 */
{
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册