Changes between 1.0.2g and 1.1.0 [xx XXX xxxx]
+ *) RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
+ disabled by default. They can be re-enabled using the
+ enable-weak-ssl-ciphers option to Configure.
+ [Matt Caswell]
+
*) If the server has ALPN configured, but supports no protocols that the
client advertises, send a fatal "no_application_protocol" alert.
This behaviour is SHALL in RFC 7301, though it isn't universally
# library and will be loaded in run-time by the OpenSSL library.
# sctp include SCTP support
# 386 generate 80386 code
+# enable-weak-ssl-ciphers
+# Enable weak ciphers that are disabled by default. This currently
+# only includes RC4 based ciphers.
# no-sse2 disables IA-32 SSE2 code, above option implies no-sse2
# no-<cipher> build without specified algorithm (rsa, idea, rc5, ...)
# -<xxx> +<xxx> compiler options are passed through
"ui",
"unit-test",
"whirlpool",
+ "weak-ssl-ciphers",
"zlib",
"zlib-dynamic",
);
our %disabled = ( # "what" => "comment"
"ec_nistp_64_gcc_128" => "default",
- "egd" => "default",
- "md2" => "default",
- "rc5" => "default",
- "sctp" => "default",
- "shared" => "default",
- "ssl-trace" => "default",
- "static-engine" => "default",
- "unit-test" => "default",
- "zlib" => "default",
- "zlib-dynamic" => "default",
- "crypto-mdebug" => "default",
- "heartbeats" => "default",
+ "egd" => "default",
+ "md2" => "default",
+ "rc5" => "default",
+ "sctp" => "default",
+ "shared" => "default",
+ "ssl-trace" => "default",
+ "static-engine" => "default",
+ "unit-test" => "default",
+ "weak-ssl-ciphers" => "default",
+ "zlib" => "default",
+ "zlib-dynamic" => "default",
+ "crypto-mdebug" => "default",
+ "heartbeats" => "default",
);
# Note: => pair form used for aesthetics, not to truly make a hash table
=item B<COMPLEMENTOFDEFAULT>
The ciphers included in B<ALL>, but not enabled by default. Currently
-this includes all RC4, DES, RC2 and anonymous ciphers. Note that this rule does
+this includes all RC4 and anonymous ciphers. Note that this rule does
not cover B<eNULL>, which is not included by B<ALL> (use B<COMPLEMENTOFALL> if
-necessary).
+necessary). Note that RC4 based ciphersuites are not built into OpenSSL by
+default (see the enable-weak-ssl-ciphers option to Configure).
=item B<ALL>
},
/* Cipher 04 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_RSA_RC4_128_MD5,
128,
128,
},
+#endif
/* Cipher 07 */
#ifndef OPENSSL_NO_IDEA
},
/* Cipher 18 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_ADH_RC4_128_MD5,
128,
128,
},
+#endif
/* Cipher 1B */
{
#ifndef OPENSSL_NO_PSK
/* PSK ciphersuites from RFC 4279 */
/* Cipher 8A */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_PSK_WITH_RC4_128_SHA,
128,
128,
},
+#endif
/* Cipher 8B */
{
},
/* Cipher 8E */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_DHE_PSK_WITH_RC4_128_SHA,
128,
128,
},
+#endif
/* Cipher 8F */
{
},
/* Cipher 92 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_RSA_PSK_WITH_RC4_128_SHA,
128,
128,
},
+#endif
/* Cipher 93 */
{
},
/* Cipher C007 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
128,
128,
},
+#endif
/* Cipher C008 */
{
},
/* Cipher C011 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
128,
128,
},
+#endif
/* Cipher C012 */
{
},
/* Cipher C016 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
128,
128,
},
+#endif
/* Cipher C017 */
{
/* PSK ciphersuites from RFC 5489 */
/* Cipher C033 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA,
128,
128,
},
+#endif
/* Cipher C034 */
{
projects / openssl.git / commitdiff