diff --git a/CHANGES b/CHANGES index eac01bc..fc4e231 100644 --- a/CHANGES +++ b/CHANGES @@ -32,6 +32,10 @@ security: Red Hat issue 1019964: socat now uses the system certificate store with OPENSSL when neither options cafile nor capath are used + Red Hat issue 1019972: needs to specify OpenSSL cipher suites + Default cipherlist is now "HIGH:-NULL:-PSK:-aNULL" instead of empty to + prevent downgrade attacks + corrections: LISTEN based addresses applied some address options, e.g. so-keepalive, to the listening file descriptor instead of the connected file diff --git a/xio-openssl.c b/xio-openssl.c index 1cf1c30..ff6dfa7 100644 --- a/xio-openssl.c +++ b/xio-openssl.c @@ -852,7 +852,7 @@ int bool opt_fips = false; const SSL_METHOD *method; char *me_str = NULL; /* method string */ - char *ci_str = NULL; /* cipher string */ + char *ci_str = "HIGH:-NULL:-PSK:-aNULL"; /* cipher string */ char *opt_key = NULL; /* file name of client private key */ char *opt_dhparam = NULL; /* file name of DH params */ char *opt_cafile = NULL; /* certificate authority file */