diff --git a/CHANGES b/CHANGES index c113edd..7f4a505 100644 --- a/CHANGES +++ b/CHANGES @@ -32,6 +32,10 @@ security: Red Hat issue 1019964: socat now uses the system certificate store with OPENSSL when neither options cafile nor capath are used + Red Hat issue 1019972: needs to specify OpenSSL cipher suites + Default cipherlist is now "HIGH:-NULL:-PSK:-aNULL" instead of empty to + prevent downgrade attacks + new features: OpenSSL addresses set couple of environment variables from values in peer certificate, e.g.: diff --git a/xio-openssl.c b/xio-openssl.c index 225148e..0e442dc 100644 --- a/xio-openssl.c +++ b/xio-openssl.c @@ -717,7 +717,7 @@ int bool opt_fips = false; const SSL_METHOD *method; char *me_str = NULL; /* method string */ - char *ci_str = NULL; /* cipher string */ + char *ci_str = "HIGH:-NULL:-PSK:-aNULL"; /* cipher string */ char *opt_key = NULL; /* file name of client private key */ char *opt_dhparam = NULL; /* file name of DH params */ char *opt_cafile = NULL; /* certificate authority file */