From 42e6fbaa8cab44019a68ed1582e3105f561321be Mon Sep 17 00:00:00 2001 From: Aaron Jones Date: Tue, 18 Oct 2016 11:17:41 +0000 Subject: [PATCH] OpenSSL: Adjust ciphersuite order and update documentation --- librb/src/openssl_ratbox.h | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/librb/src/openssl_ratbox.h b/librb/src/openssl_ratbox.h index b2d033c9..bbb5cf6a 100644 --- a/librb/src/openssl_ratbox.h +++ b/librb/src/openssl_ratbox.h @@ -90,11 +90,38 @@ /* - * Default supported ciphersuites (if the user does not provide any) and curves (OpenSSL 1.0.2+) - * Hardcoded secp384r1 (P-384) is used on OpenSSL 1.0.0 and 1.0.1 (if available). + * Default supported ciphersuites (if the user does not provide any) and + * curves (OpenSSL 1.0.2+). Hardcoded secp384r1 (NIST P-384) is used on + * OpenSSL 1.0.0 and 1.0.1 (if available). + * + * We prefer AEAD ciphersuites first in order of strength, then SHA2 + * ciphersuites, then remaining suites. */ -static const char rb_default_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!aNULL"; +static const char rb_default_ciphers[] = "" + "aECDSA+kEECDH+CHACHA20:" + "aRSA+kEECDH+CHACHA20:" + "aRSA+kEDH+CHACHA20:" + "aECDSA+kEECDH+AESGCM:" + "aRSA+kEECDH+AESGCM:" + "aRSA+kEDH+AESGCM:" + "aECDSA+kEECDH+AESCCM:" + "aRSA+kEECDH+AESCCM:" + "aRSA+kEDH+AESCCM:" + "@STRENGTH:" + "aECDSA+kEECDH+HIGH+SHA384:" + "aRSA+kEECDH+HIGH+SHA384:" + "aRSA+kEDH+HIGH+SHA384:" + "aECDSA+kEECDH+HIGH+SHA256:" + "aRSA+kEECDH+HIGH+SHA256:" + "aRSA+kEDH+HIGH+SHA256:" + "aECDSA+kEECDH+HIGH:" + "aRSA+kEECDH+HIGH:" + "aRSA+kEDH+HIGH:" + "HIGH:" + "!3DES:" + "!aNULL"; + #ifdef LRB_HAVE_TLS_SET_CURVES static const char rb_default_curves[] = "P-521:P-384:P-256"; #endif