prefer SHA1 over MD5 (this affects the Kerberos ciphersuites)

aa79dd68 · Bodo Möller · 60cad2ca · aa79dd68
显示空白变更内容
内联并排

Showing with 5 addition and 2 deletion

ssl/ssl_ciph.c ssl/ssl_ciph.c +5 -2

未找到文件。
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1180,12 +1180,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 	ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
 	ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);

-	/* Temporarily enable AES first (preferred cipher) */
+	/* AES is our preferred symmetric cipher */
 	ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);

-	/* Temporarily enable everything else */
+	/* Temporarily enable everything else for sorting */
 	ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);

+	/* Low priority for MD5 */
+	ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head, &tail);
+
 	/* Move anonymous ciphers to the end.  Usually, these will remain disabled.
 	 * (For applications that allow them, they aren't too bad, but we prefer
 	 * authenticated ciphers.) */