提交 8b1a5af3 编写于 作者: M Matt Caswell

Don't build RC4 ciphersuites into libssl by default

RC4 based ciphersuites in libssl have been disabled by default. They can
be added back by building OpenSSL with the "enable-weak-ssl-ciphers"
Configure option at compile time.
Reviewed-by: NRich Salz <rsalz@openssl.org>
上级 f04abe7d
...@@ -4,6 +4,11 @@ ...@@ -4,6 +4,11 @@
Changes between 1.0.2g and 1.1.0 [xx XXX xxxx] Changes between 1.0.2g and 1.1.0 [xx XXX xxxx]
*) RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
disabled by default. They can be re-enabled using the
enable-weak-ssl-ciphers option to Configure.
[Matt Caswell]
*) If the server has ALPN configured, but supports no protocols that the *) If the server has ALPN configured, but supports no protocols that the
client advertises, send a fatal "no_application_protocol" alert. client advertises, send a fatal "no_application_protocol" alert.
This behaviour is SHALL in RFC 7301, though it isn't universally This behaviour is SHALL in RFC 7301, though it isn't universally
......
...@@ -57,6 +57,9 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lx ...@@ -57,6 +57,9 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lx
# library and will be loaded in run-time by the OpenSSL library. # library and will be loaded in run-time by the OpenSSL library.
# sctp include SCTP support # sctp include SCTP support
# 386 generate 80386 code # 386 generate 80386 code
# enable-weak-ssl-ciphers
# Enable weak ciphers that are disabled by default. This currently
# only includes RC4 based ciphers.
# no-sse2 disables IA-32 SSE2 code, above option implies no-sse2 # no-sse2 disables IA-32 SSE2 code, above option implies no-sse2
# no-<cipher> build without specified algorithm (rsa, idea, rc5, ...) # no-<cipher> build without specified algorithm (rsa, idea, rc5, ...)
# -<xxx> +<xxx> compiler options are passed through # -<xxx> +<xxx> compiler options are passed through
...@@ -313,6 +316,7 @@ my @disablables = ( ...@@ -313,6 +316,7 @@ my @disablables = (
"ui", "ui",
"unit-test", "unit-test",
"whirlpool", "whirlpool",
"weak-ssl-ciphers",
"zlib", "zlib",
"zlib-dynamic", "zlib-dynamic",
); );
...@@ -330,18 +334,19 @@ my @deprecated_disablables = ( ...@@ -330,18 +334,19 @@ my @deprecated_disablables = (
our %disabled = ( # "what" => "comment" our %disabled = ( # "what" => "comment"
"ec_nistp_64_gcc_128" => "default", "ec_nistp_64_gcc_128" => "default",
"egd" => "default", "egd" => "default",
"md2" => "default", "md2" => "default",
"rc5" => "default", "rc5" => "default",
"sctp" => "default", "sctp" => "default",
"shared" => "default", "shared" => "default",
"ssl-trace" => "default", "ssl-trace" => "default",
"static-engine" => "default", "static-engine" => "default",
"unit-test" => "default", "unit-test" => "default",
"zlib" => "default", "weak-ssl-ciphers" => "default",
"zlib-dynamic" => "default", "zlib" => "default",
"crypto-mdebug" => "default", "zlib-dynamic" => "default",
"heartbeats" => "default", "crypto-mdebug" => "default",
"heartbeats" => "default",
); );
# Note: => pair form used for aesthetics, not to truly make a hash table # Note: => pair form used for aesthetics, not to truly make a hash table
......
...@@ -144,9 +144,10 @@ When used, this must be the first cipherstring specified. ...@@ -144,9 +144,10 @@ When used, this must be the first cipherstring specified.
=item B<COMPLEMENTOFDEFAULT> =item B<COMPLEMENTOFDEFAULT>
The ciphers included in B<ALL>, but not enabled by default. Currently The ciphers included in B<ALL>, but not enabled by default. Currently
this includes all RC4, DES, RC2 and anonymous ciphers. Note that this rule does this includes all RC4 and anonymous ciphers. Note that this rule does
not cover B<eNULL>, which is not included by B<ALL> (use B<COMPLEMENTOFALL> if not cover B<eNULL>, which is not included by B<ALL> (use B<COMPLEMENTOFALL> if
necessary). necessary). Note that RC4 based ciphersuites are not built into OpenSSL by
default (see the enable-weak-ssl-ciphers option to Configure).
=item B<ALL> =item B<ALL>
......
...@@ -195,6 +195,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { ...@@ -195,6 +195,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
}, },
/* Cipher 04 */ /* Cipher 04 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_RSA_RC4_128_MD5, SSL3_TXT_RSA_RC4_128_MD5,
...@@ -225,6 +226,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { ...@@ -225,6 +226,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128, 128,
128, 128,
}, },
#endif
/* Cipher 07 */ /* Cipher 07 */
#ifndef OPENSSL_NO_IDEA #ifndef OPENSSL_NO_IDEA
...@@ -293,6 +295,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { ...@@ -293,6 +295,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
}, },
/* Cipher 18 */ /* Cipher 18 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_ADH_RC4_128_MD5, SSL3_TXT_ADH_RC4_128_MD5,
...@@ -307,6 +310,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { ...@@ -307,6 +310,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128, 128,
128, 128,
}, },
#endif
/* Cipher 1B */ /* Cipher 1B */
{ {
...@@ -813,6 +817,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { ...@@ -813,6 +817,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
#ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK
/* PSK ciphersuites from RFC 4279 */ /* PSK ciphersuites from RFC 4279 */
/* Cipher 8A */ /* Cipher 8A */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
TLS1_TXT_PSK_WITH_RC4_128_SHA, TLS1_TXT_PSK_WITH_RC4_128_SHA,
...@@ -827,6 +832,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { ...@@ -827,6 +832,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128, 128,
128, 128,
}, },
#endif
/* Cipher 8B */ /* Cipher 8B */
{ {
...@@ -877,6 +883,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { ...@@ -877,6 +883,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
}, },
/* Cipher 8E */ /* Cipher 8E */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
TLS1_TXT_DHE_PSK_WITH_RC4_128_SHA, TLS1_TXT_DHE_PSK_WITH_RC4_128_SHA,
...@@ -891,6 +898,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { ...@@ -891,6 +898,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128, 128,
128, 128,
}, },
#endif
/* Cipher 8F */ /* Cipher 8F */
{ {
...@@ -941,6 +949,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { ...@@ -941,6 +949,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
}, },
/* Cipher 92 */ /* Cipher 92 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
TLS1_TXT_RSA_PSK_WITH_RC4_128_SHA, TLS1_TXT_RSA_PSK_WITH_RC4_128_SHA,
...@@ -955,6 +964,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { ...@@ -955,6 +964,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128, 128,
128, 128,
}, },
#endif
/* Cipher 93 */ /* Cipher 93 */
{ {
...@@ -1646,6 +1656,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { ...@@ -1646,6 +1656,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
}, },
/* Cipher C007 */ /* Cipher C007 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
...@@ -1660,6 +1671,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { ...@@ -1660,6 +1671,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128, 128,
128, 128,
}, },
#endif
/* Cipher C008 */ /* Cipher C008 */
{ {
...@@ -1726,6 +1738,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { ...@@ -1726,6 +1738,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
}, },
/* Cipher C011 */ /* Cipher C011 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
...@@ -1740,6 +1753,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { ...@@ -1740,6 +1753,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128, 128,
128, 128,
}, },
#endif
/* Cipher C012 */ /* Cipher C012 */
{ {
...@@ -1806,6 +1820,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { ...@@ -1806,6 +1820,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
}, },
/* Cipher C016 */ /* Cipher C016 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
...@@ -1820,6 +1835,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { ...@@ -1820,6 +1835,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128, 128,
128, 128,
}, },
#endif
/* Cipher C017 */ /* Cipher C017 */
{ {
...@@ -2152,6 +2168,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { ...@@ -2152,6 +2168,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
/* PSK ciphersuites from RFC 5489 */ /* PSK ciphersuites from RFC 5489 */
/* Cipher C033 */ /* Cipher C033 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA, TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA,
...@@ -2166,6 +2183,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { ...@@ -2166,6 +2183,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
128, 128,
128, 128,
}, },
#endif
/* Cipher C034 */ /* Cipher C034 */
{ {
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册