OpenSSL: Adjust ciphersuite order and update documentation

This commit is contained in:
Aaron Jones 2016-10-18 11:17:41 +00:00
parent 98c4aaeaff
commit 42e6fbaa8c
No known key found for this signature in database
GPG key ID: EC6F86EE9CD840B5

View file

@ -90,11 +90,38 @@
/* /*
* Default supported ciphersuites (if the user does not provide any) and curves (OpenSSL 1.0.2+) * Default supported ciphersuites (if the user does not provide any) and
* Hardcoded secp384r1 (P-384) is used on OpenSSL 1.0.0 and 1.0.1 (if available). * curves (OpenSSL 1.0.2+). Hardcoded secp384r1 (NIST P-384) is used on
* OpenSSL 1.0.0 and 1.0.1 (if available).
*
* We prefer AEAD ciphersuites first in order of strength, then SHA2
* ciphersuites, then remaining suites.
*/ */
static const char rb_default_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!aNULL"; static const char rb_default_ciphers[] = ""
"aECDSA+kEECDH+CHACHA20:"
"aRSA+kEECDH+CHACHA20:"
"aRSA+kEDH+CHACHA20:"
"aECDSA+kEECDH+AESGCM:"
"aRSA+kEECDH+AESGCM:"
"aRSA+kEDH+AESGCM:"
"aECDSA+kEECDH+AESCCM:"
"aRSA+kEECDH+AESCCM:"
"aRSA+kEDH+AESCCM:"
"@STRENGTH:"
"aECDSA+kEECDH+HIGH+SHA384:"
"aRSA+kEECDH+HIGH+SHA384:"
"aRSA+kEDH+HIGH+SHA384:"
"aECDSA+kEECDH+HIGH+SHA256:"
"aRSA+kEECDH+HIGH+SHA256:"
"aRSA+kEDH+HIGH+SHA256:"
"aECDSA+kEECDH+HIGH:"
"aRSA+kEECDH+HIGH:"
"aRSA+kEDH+HIGH:"
"HIGH:"
"!3DES:"
"!aNULL";
#ifdef LRB_HAVE_TLS_SET_CURVES #ifdef LRB_HAVE_TLS_SET_CURVES
static const char rb_default_curves[] = "P-521:P-384:P-256"; static const char rb_default_curves[] = "P-521:P-384:P-256";
#endif #endif