From 899bc6845d43977b29577ac050b15097d7cae32a Mon Sep 17 00:00:00 2001 From: Gerhard Rieger Date: Sun, 23 Nov 2014 13:48:05 +0100 Subject: [PATCH] Red Hat issue 1019972: needs to specify OpenSSL cipher suites --- CHANGES | 4 ++++ xio-openssl.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index c113edd..7f4a505 100644 --- a/CHANGES +++ b/CHANGES @@ -32,6 +32,10 @@ security: Red Hat issue 1019964: socat now uses the system certificate store with OPENSSL when neither options cafile nor capath are used + Red Hat issue 1019972: needs to specify OpenSSL cipher suites + Default cipherlist is now "HIGH:-NULL:-PSK:-aNULL" instead of empty to + prevent downgrade attacks + new features: OpenSSL addresses set couple of environment variables from values in peer certificate, e.g.: diff --git a/xio-openssl.c b/xio-openssl.c index 225148e..0e442dc 100644 --- a/xio-openssl.c +++ b/xio-openssl.c @@ -717,7 +717,7 @@ int bool opt_fips = false; const SSL_METHOD *method; char *me_str = NULL; /* method string */ - char *ci_str = NULL; /* cipher string */ + char *ci_str = "HIGH:-NULL:-PSK:-aNULL"; /* cipher string */ char *opt_key = NULL; /* file name of client private key */ char *opt_dhparam = NULL; /* file name of DH params */ char *opt_cafile = NULL; /* certificate authority file */