Disable new TLS1 ciphersuites.

diff --git a/CHANGES b/CHANGES
index 7aea4643ad60d14c0101d687a1ab50e83a8ba556..4f8e8bc0901ea220c4f5103822ab03937714ddd8 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,9 @@
 
  Changes between 0.9.1c and 0.9.2
 
+  *) Disable new TLS1 ciphersuites by default: they aren't official yet.
+     [Ben Laurie]
+
   *) Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified
      on the `perl Configure ...' command line. This way one can compile
      OpenSSL libraries with Position Independent Code (PIC) which is needed

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index c32b71604112b6d801e505df8ac9b12151fc8e2a..78afd87ced3fe3537ec1b69ff852e73de73c80b0 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -355,6 +355,7 @@ SSL_CIPHER ssl3_ciphers[]={
        SSL_ALL_CIPHERS,
        },
 
+#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
        /* New TLS Export CipherSuites */
        /* Cipher 60 */
            {
@@ -383,6 +384,7 @@ SSL_CIPHER ssl3_ciphers[]={
            0,
            SSL_ALL_CIPHERS
            },
+#endif
 
 /* end of list */
        };

diff --git a/ssl/tls1.h b/ssl/tls1.h
index 8d47ae591aa71dab8e74ce2fe1b9fbb742cc7102..780beea855573145244226577c4d17d86efc7287 100644 (file)
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -65,6 +65,8 @@
 extern "C" {
 #endif
 
+#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES   0
+
 #define TLS1_VERSION                   0x0301
 #define TLS1_VERSION_MAJOR             0x03
 #define TLS1_VERSION_MINOR             0x01