malmond / rpms / unbound

Forked from rpms/unbound 3 years ago
Clone

Blame SOURCES/unbound-1.7.3-crypto-policy-non-compliance-openssl.patch

d9cda3
diff --git a/util/net_help.c b/util/net_help.c
d9cda3
index a5059b0..a193c36 100644
d9cda3
--- a/util/net_help.c
d9cda3
+++ b/util/net_help.c
d9cda3
@@ -703,7 +703,7 @@ listen_sslctx_setup(void* ctxt)
d9cda3
 #endif
d9cda3
 #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
d9cda3
 	/* if we have sha256, set the cipher list to have no known vulns */
d9cda3
-	if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
d9cda3
+	if(!SSL_CTX_set_cipher_list(ctx, "PROFILE=SYSTEM"))
d9cda3
 		log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
d9cda3
 #endif
d9cda3