{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1755027925, "reponame":"openssl", "desc":"OpenSSL", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/openssl", "f":3, "items": [ {"schema":"libjg2-1", "cid":"02ec9edfd1e54a5384175e2ed08fd2f1", "commit": {"type":"commit", "time": 1457085846, "time_ofs": 0, "oid_tree": { "oid": "c8e4ed539f9a711c85cbff3b62b38736b5dd29af", "alias": []}, "oid":{ "oid": "8b1a5af389fb962c7d00ffc9d003c81078033e7b", "alias": []}, "msg": "Don't build RC4 ciphersuites into libssl by default", "sig_commit": { "git_time": { "time": 1457085846, "offset": 0 }, "name": "Matt Caswell", "email": "matt@openssl.org", "md5": "10f7b441a32d5790efad9fc68cae4af2" }, "sig_author": { "git_time": { "time": 1457019651, "offset": 0 }, "name": "Matt Caswell", "email": "matt@openssl.org", "md5": "10f7b441a32d5790efad9fc68cae4af2" }}, "body": "Don't build RC4 ciphersuites into libssl by default\n\nRC4 based ciphersuites in libssl have been disabled by default. They can\nbe added back by building OpenSSL with the \u0022enable-weak-ssl-ciphers\u0022\nConfigure option at compile time.\n\nReviewed-by: Rich Salz \u003crsalz@openssl.org\u003e\n" , "diff": "diff --git a/CHANGES b/CHANGES\nindex 6186558..f534cf7 100644\n--- a/CHANGES\n+++ b/CHANGES\n@@ -4,6 +4,11 @@\n \n Changes between 1.0.2g and 1.1.0 [xx XXX xxxx]\n \n+ *) RC4 based libssl ciphersuites are now classed as \u0022weak\u0022 ciphers and are\n+ disabled by default. They can be re-enabled using the\n+ enable-weak-ssl-ciphers option to Configure.\n+ [Matt Caswell]\n+\n *) If the server has ALPN configured, but supports no protocols that the\n client advertises, send a fatal \u0022no_application_protocol\u0022 alert.\n This behaviour is SHALL in RFC 7301, though it isn't universally\ndiff --git a/Configure b/Configure\nindex 5e2e8d3..e57ff60 100755\n--- a/Configure\n+++ b/Configure\n@@ -57,6 +57,9 @@ my $usage\u003d\u0022Usage: Configure [no-\u003ccipher\u003e ...] [enable-\u003ccipher\u003e ...] [-Dxxx] [-lx\n #\t\tlibrary and will be loaded in run-time by the OpenSSL library.\n # sctp include SCTP support\n # 386 generate 80386 code\n+# enable-weak-ssl-ciphers\n+# Enable weak ciphers that are disabled by default. This currently\n+# only includes RC4 based ciphers.\n # no-sse2\tdisables IA-32 SSE2 code, above option implies no-sse2\n # no-\u003ccipher\u003e build without specified algorithm (rsa, idea, rc5, ...)\n # -\u003cxxx\u003e +\u003cxxx\u003e compiler options are passed through\n@@ -313,6 +316,7 @@ my @disablables \u003d (\n \u0022ui\u0022,\n \u0022unit-test\u0022,\n \u0022whirlpool\u0022,\n+ \u0022weak-ssl-ciphers\u0022,\n \u0022zlib\u0022,\n \u0022zlib-dynamic\u0022,\n );\n@@ -330,18 +334,19 @@ my @deprecated_disablables \u003d (\n \n our %disabled \u003d ( # \u0022what\u0022 \u003d\u003e \u0022comment\u0022\n \t\t \u0022ec_nistp_64_gcc_128\u0022 \u003d\u003e \u0022default\u0022,\n-\t\t \u0022egd\u0022 \u003d\u003e \u0022default\u0022,\n-\t\t \u0022md2\u0022 \u003d\u003e \u0022default\u0022,\n-\t\t \u0022rc5\u0022 \u003d\u003e \u0022default\u0022,\n-\t\t \u0022sctp\u0022 \u003d\u003e \u0022default\u0022,\n-\t\t \u0022shared\u0022 \u003d\u003e \u0022default\u0022,\n-\t\t \u0022ssl-trace\u0022 \u003d\u003e \u0022default\u0022,\n-\t\t \u0022static-engine\u0022 \u003d\u003e \u0022default\u0022,\n-\t\t \u0022unit-test\u0022 \u003d\u003e \u0022default\u0022,\n-\t\t \u0022zlib\u0022 \u003d\u003e \u0022default\u0022,\n-\t\t \u0022zlib-dynamic\u0022 \u003d\u003e \u0022default\u0022,\n-\t\t \u0022crypto-mdebug\u0022 \u003d\u003e \u0022default\u0022,\n-\t\t \u0022heartbeats\u0022 \u003d\u003e \u0022default\u0022,\n+\t\t \u0022egd\u0022 \u003d\u003e \u0022default\u0022,\n+\t\t \u0022md2\u0022 \u003d\u003e \u0022default\u0022,\n+\t\t \u0022rc5\u0022 \u003d\u003e \u0022default\u0022,\n+\t\t \u0022sctp\u0022 \u003d\u003e \u0022default\u0022,\n+\t\t \u0022shared\u0022 \u003d\u003e \u0022default\u0022,\n+\t\t \u0022ssl-trace\u0022 \u003d\u003e \u0022default\u0022,\n+\t\t \u0022static-engine\u0022 \u003d\u003e \u0022default\u0022,\n+\t\t \u0022unit-test\u0022 \u003d\u003e \u0022default\u0022,\n+\t\t \u0022weak-ssl-ciphers\u0022 \u003d\u003e \u0022default\u0022,\n+\t\t \u0022zlib\u0022 \u003d\u003e \u0022default\u0022,\n+\t\t \u0022zlib-dynamic\u0022 \u003d\u003e \u0022default\u0022,\n+\t\t \u0022crypto-mdebug\u0022 \u003d\u003e \u0022default\u0022,\n+\t\t \u0022heartbeats\u0022 \u003d\u003e \u0022default\u0022,\n \t\t);\n \n # Note: \u003d\u003e pair form used for aesthetics, not to truly make a hash table\ndiff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod\nindex 07c353d..344e218 100644\n--- a/doc/apps/ciphers.pod\n+++ b/doc/apps/ciphers.pod\n@@ -144,9 +144,10 @@ When used, this must be the first cipherstring specified.\n \u003ditem B\u003cCOMPLEMENTOFDEFAULT\u003e\n \n The ciphers included in B\u003cALL\u003e, but not enabled by default. Currently\n-this includes all RC4, DES, RC2 and anonymous ciphers. Note that this rule does\n+this includes all RC4 and anonymous ciphers. Note that this rule does\n not cover B\u003ceNULL\u003e, which is not included by B\u003cALL\u003e (use B\u003cCOMPLEMENTOFALL\u003e if\n-necessary).\n+necessary). Note that RC4 based ciphersuites are not built into OpenSSL by\n+default (see the enable-weak-ssl-ciphers option to Configure).\n \n \u003ditem B\u003cALL\u003e\n \ndiff --git a/ssl/s3_lib.c b/ssl/s3_lib.c\nindex 07ce76d..f1ea55a 100644\n--- a/ssl/s3_lib.c\n+++ b/ssl/s3_lib.c\n@@ -195,6 +195,7 @@ static const SSL_CIPHER ssl3_ciphers[] \u003d {\n },\n \n /* Cipher 04 */\n+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS\n {\n 1,\n SSL3_TXT_RSA_RC4_128_MD5,\n@@ -225,6 +226,7 @@ static const SSL_CIPHER ssl3_ciphers[] \u003d {\n 128,\n 128,\n },\n+#endif\n \n /* Cipher 07 */\n #ifndef OPENSSL_NO_IDEA\n@@ -293,6 +295,7 @@ static const SSL_CIPHER ssl3_ciphers[] \u003d {\n },\n \n /* Cipher 18 */\n+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS\n {\n 1,\n SSL3_TXT_ADH_RC4_128_MD5,\n@@ -307,6 +310,7 @@ static const SSL_CIPHER ssl3_ciphers[] \u003d {\n 128,\n 128,\n },\n+#endif\n \n /* Cipher 1B */\n {\n@@ -813,6 +817,7 @@ static const SSL_CIPHER ssl3_ciphers[] \u003d {\n #ifndef OPENSSL_NO_PSK\n /* PSK ciphersuites from RFC 4279 */\n /* Cipher 8A */\n+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS\n {\n 1,\n TLS1_TXT_PSK_WITH_RC4_128_SHA,\n@@ -827,6 +832,7 @@ static const SSL_CIPHER ssl3_ciphers[] \u003d {\n 128,\n 128,\n },\n+#endif\n \n /* Cipher 8B */\n {\n@@ -877,6 +883,7 @@ static const SSL_CIPHER ssl3_ciphers[] \u003d {\n },\n \n /* Cipher 8E */\n+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS\n {\n 1,\n TLS1_TXT_DHE_PSK_WITH_RC4_128_SHA,\n@@ -891,6 +898,7 @@ static const SSL_CIPHER ssl3_ciphers[] \u003d {\n 128,\n 128,\n },\n+#endif\n \n /* Cipher 8F */\n {\n@@ -941,6 +949,7 @@ static const SSL_CIPHER ssl3_ciphers[] \u003d {\n },\n \n /* Cipher 92 */\n+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS\n {\n 1,\n TLS1_TXT_RSA_PSK_WITH_RC4_128_SHA,\n@@ -955,6 +964,7 @@ static const SSL_CIPHER ssl3_ciphers[] \u003d {\n 128,\n 128,\n },\n+#endif\n \n /* Cipher 93 */\n {\n@@ -1646,6 +1656,7 @@ static const SSL_CIPHER ssl3_ciphers[] \u003d {\n },\n \n /* Cipher C007 */\n+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS\n {\n 1,\n TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,\n@@ -1660,6 +1671,7 @@ static const SSL_CIPHER ssl3_ciphers[] \u003d {\n 128,\n 128,\n },\n+#endif\n \n /* Cipher C008 */\n {\n@@ -1726,6 +1738,7 @@ static const SSL_CIPHER ssl3_ciphers[] \u003d {\n },\n \n /* Cipher C011 */\n+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS\n {\n 1,\n TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,\n@@ -1740,6 +1753,7 @@ static const SSL_CIPHER ssl3_ciphers[] \u003d {\n 128,\n 128,\n },\n+#endif\n \n /* Cipher C012 */\n {\n@@ -1806,6 +1820,7 @@ static const SSL_CIPHER ssl3_ciphers[] \u003d {\n },\n \n /* Cipher C016 */\n+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS\n {\n 1,\n TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,\n@@ -1820,6 +1835,7 @@ static const SSL_CIPHER ssl3_ciphers[] \u003d {\n 128,\n 128,\n },\n+#endif\n \n /* Cipher C017 */\n {\n@@ -2152,6 +2168,7 @@ static const SSL_CIPHER ssl3_ciphers[] \u003d {\n \n /* PSK ciphersuites from RFC 5489 */\n /* Cipher C033 */\n+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS\n {\n 1,\n TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA,\n@@ -2166,6 +2183,7 @@ static const SSL_CIPHER ssl3_ciphers[] \u003d {\n 128,\n 128,\n },\n+#endif\n \n /* Cipher C034 */\n {\n","s":{"c":1755027925,"u": 13777}} ],"g": 15239,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}