Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a

ciphersuite string such as "DEFAULT:RSA" cannot enable
authentication-only ciphersuites.

Also, change ssl_create_cipher_list() so that it no longer
starts with an arbitrary ciphersuite ordering, but instead
uses the logic that we previously had in SSL_DEFEAULT_CIPHER_LIST.
SSL_DEFAULT_CIPHER_LIST simplifies into just "ALL:!aNULL:!eNULL".

diff --git a/CHANGES b/CHANGES
index 80db3ae58d40d37f51a145fef30bc94466a20864..44200d6f2e3a8050cf40e0123c55b0c8f45b5960 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,16 @@
 
  Changes between 0.9.8e and 0.9.9  [xx XXX xxxx]
 
+  *) Change ssl_create_cipher_list() so that it automatically
+     arranges the ciphersuites in reasonable order before starting
+     to process the rule string.  Thus, the definition for "DEFAULT"
+     (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but
+     remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH".
+     This makes it much easier to arrive at a reasonable default order
+     in applications for which anonymous ciphers are OK (meaning
+     that you can't actually use DEFAULT).
+     [Bodo Moeller; suggested by Victor Duchovni]
+
   *) Split the SSL/TLS algorithm mask (as used for ciphersuite string
      processing) into multiple integers instead of setting
      "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK",
@@ -452,6 +462,11 @@
 
  Changes between 0.9.8d and 0.9.8e  [XX xxx XXXX]
 
+  *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
+     a ciphersuite string such as "DEFAULT:RSA" cannot enable
+     authentication-only ciphersuites.
+     [Bodo Moeller]
+
   *) Since AES128 and AES256 (and similarly Camellia128 and
      Camellia256) share a single mask bit in the logic of
      ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
@@ -1488,6 +1503,11 @@
 
  Changes between 0.9.7l and 0.9.7m  [xx XXX xxxx]
 
+  *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
+     a ciphersuite string such as "DEFAULT:RSA" cannot enable
+     authentication-only ciphersuites.
+     [Bodo Moeller]
+
   *) Since AES128 and AES256 share a single mask bit in the logic of
      ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
      kludge to work properly if AES128 is available and AES256 isn't.

diff --git a/ssl/ssl.h b/ssl/ssl.h
index 0581256d8c67cceb0374112d9ce883703ebdb5d6..b97b35e9c3aa6e4418519cc090086cdbe79281ab 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -315,8 +315,13 @@ extern "C" {
 /* The following cipher list is used by default.
  * It also is substituted when an application-defined cipher list string
  * starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST        "AES:CAMELLIA:ALL:!ADH:!AECDH:+aECDH:+kRSA:+RC4:@STRENGTH"
-/* low priority for ciphersuites w/o forwared secrecy (fixed ECDH, RSA key exchange), and for RC4 */
+#define SSL_DEFAULT_CIPHER_LIST        "ALL:!aNULL:!eNULL"
+/* As of OpenSSL 0.9.9, ssl_create_cipher_list() in ssl/ssl_ciph.c always
+ * starts with a reasonable order, and all we have to do for DEFAULT is
+ * throwing out anonymous and unencrypted ciphersuites!
+ * (The latter are not actually enabled by ALL, but "ALL:RSA" would enable
+ * some of them.)
+ */
 
 /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
 #define SSL_SENT_SHUTDOWN      1

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 3e94de8f83626ab8fe5c3b4d5e3c00d9b6325b46..787aec1e3110c21842c97d60c037a456d63be303 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1120,6 +1120,40 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
                                   disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl,
                                   co_list, &head, &tail);
 
+
+       /* Now arrange all ciphers by preference: */
+
+       /* Temporarily enabled AES first (preferred cipher) */
+       ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
+
+       /* Temporarily enable everything else */
+       ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
+
+       /* Move anonymous ciphers to the end.  Usually, these will remain disabled.
+        * (For applications that allow them, they aren't too bad, but we prefer
+        * authenticated ciphers.) */
+       ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
+
+       /* Move ciphers without forward secrecy to then end */
+       ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
+       ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
+       ssl_cipher_apply_rule(0, 0, SSL_kPSK, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
+
+       /* RC4 is sort-of broken -- move the the end */
+       ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
+
+       /* Now sort by symmetric encryption strength.  The above ordering remains
+        * in force within each class */
+       if (!ssl_cipher_strength_sort(&head, &tail))
+               {
+               OPENSSL_free(co_list);
+               return NULL;
+               }
+
+       /* Now disable everything (maintaining the ordering!) */
+       ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
+
+
        /*
         * We also need cipher aliases for selecting based on the rule_str.
         * There might be two types of entries in the rule_str: 1) names
@@ -1167,6 +1201,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
                OPENSSL_free(co_list);
                return(NULL);
                }
+       
        /*
         * Allocate new "cipherstack" for the result, return with error
         * if we cannot get one.