disable AES ciphersuites unless explicitly requested

[openssl.git] / ssl / ssl.h

diff --git a/ssl/ssl.h b/ssl/ssl.h
index af4a7e829e475ed4e0f694cfecaef6d1c9328ec7..ba9dc4a9a9152d76c808ab56c73585557489180f 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -253,7 +253,7 @@ extern "C" {
 #define SSL_TXT_RC4            "RC4"
 #define SSL_TXT_RC2            "RC2"
 #define SSL_TXT_IDEA           "IDEA"
-#define SSL_TXT_AES            "AES"
+#define SSL_TXT_AES            "AESdraft" /* AES ciphersuites are not yet official (thus excluded from 'ALL') */
 #define SSL_TXT_MD5            "MD5"
 #define SSL_TXT_SHA1           "SHA1"
 #define SSL_TXT_SHA            "SHA"
@@ -266,9 +266,10 @@ extern "C" {
 #define SSL_TXT_TLSV1          "TLSv1"
 #define SSL_TXT_ALL            "ALL"
 
-/* 'DEFAULT' at the start of the cipher list insert the following string
- * in addition to this being the default cipher string */
-#define SSL_DEFAULT_CIPHER_LIST        "ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"
+/* The following cipher list is used by default.
+ * It also is substituted when an application-defined cipher list string
+ * starts with 'DEFAULT'. */
+#define SSL_DEFAULT_CIPHER_LIST        "ALL:!ADH:@STRENGTH"
 
 /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
 #define SSL_SENT_SHUTDOWN      1
@@ -358,6 +359,7 @@ typedef struct ssl_method_st
  *     Cipher                  OCTET_STRING,   -- the 3 byte cipher ID
  *     Session_ID              OCTET_STRING,   -- the Session ID
  *     Master_key              OCTET_STRING,   -- the master key
+ *     KRB5_principal          OCTET_STRING    -- optional Kerberos principal
  *     Key_Arg [ 0 ] IMPLICIT  OCTET_STRING,   -- the optional Key argument
  *     Time [ 1 ] EXPLICIT     INTEGER,        -- optional Start Time
  *     Timeout [ 2 ] EXPLICIT  INTEGER,        -- optional Timeout ins seconds