diff options
| author | Todd Short <tshort@akamai.com> | 2019-04-05 16:03:29 +0200 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2019-06-11 10:44:26 +0200 |
| commit | 5d120511679ed69669e29b374a3bab1c50ff5134 (patch) | |
| tree | d3ba2fbe02170e3dee4825852549148bb6937951 /include | |
| parent | BIO_lookup_ex: Retry with AI_ADDRCONFIG cleared if getaddrinfo fails (diff) | |
| download | openssl-5d120511679ed69669e29b374a3bab1c50ff5134.tar.xz openssl-5d120511679ed69669e29b374a3bab1c50ff5134.zip | |
Change cipher default strings to a function
Making the default cipher strings a function gives the library more
control over the defaults. Potentially allowing a change in the
future as ciphers become deprecated or dangerous.
Also allows third party distributors to change the defaults for their
installations.
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8686)
Diffstat (limited to 'include')
| -rw-r--r-- | include/openssl/ssl.h | 30 |
1 files changed, 21 insertions, 9 deletions
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 3367366bd5..9f500a334c 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -169,17 +169,25 @@ extern "C" { * The following cipher list is used by default. It also is substituted when * an application-defined cipher list string starts with 'DEFAULT'. * This applies to ciphersuites for TLSv1.2 and below. + * DEPRECATED IN 3.0.0, in favor of OSSL_default_cipher_list() + * Update both macro and function simultaneously */ -# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" -/* This is the default set of TLSv1.3 ciphersuites */ -# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) -# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ - "TLS_CHACHA20_POLY1305_SHA256:" \ - "TLS_AES_128_GCM_SHA256" -# else -# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ +# if !OPENSSL_API_3 +# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" +/* + * This is the default set of TLSv1.3 ciphersuites + * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites() + * Update both macro and function simultaneously + */ +# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) +# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ + "TLS_CHACHA20_POLY1305_SHA256:" \ + "TLS_AES_128_GCM_SHA256" +# else +# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ "TLS_AES_128_GCM_SHA256" -#endif +# endif +# endif /* * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always * starts with a reasonable order, and all we have to do for DEFAULT is @@ -2443,6 +2451,10 @@ void SSL_set_allow_early_data_cb(SSL *s, SSL_allow_early_data_cb_fn cb, void *arg); +/* store the default cipher strings inside the library */ +const char *OSSL_default_cipher_list(void); +const char *OSSL_default_ciphersuites(void); + # ifdef __cplusplus } # endif |