From 1aaffff1a658c5b9d5a5e09d4c6ab0a7ed4e1a50 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 21 Sep 2015 15:41:24 -0400 Subject: [PATCH] The OpenSSL DEFAULT cipher macro shouldn't enable NULL ciphers --- nss_engine_cipher.c | 13 +++++++++++++ test/test_cipher.py | 8 ++++++++ 2 files changed, 21 insertions(+) diff --git a/nss_engine_cipher.c b/nss_engine_cipher.c index 012e269..45b8836 100644 --- a/nss_engine_cipher.c +++ b/nss_engine_cipher.c @@ -164,6 +164,7 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis int i, action; PRBool merge = PR_FALSE; PRBool found = PR_FALSE; + PRBool first = PR_TRUE; cipher = ciphers; while (ciphers && (strlen(ciphers))) @@ -210,11 +211,22 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis set_cipher_value(cipher_list, i, action); } } else if (!strcmp(cipher, "DEFAULT")) { + /* In OpenSSL the default cipher list is + * ALL:!aNULL:!eNULL:!SSLv2 + * So we need to disable all the NULL ciphers too. + */ + int mask = SSL_aNULL | SSL_eNULL; + PRBool enabled; found = PR_TRUE; for (i=0; i < ciphernum; i++) { if (cipher_list[i] != -1) SSL_CipherPrefGetDefault(ciphers_def[i].num, &cipher_list[i]); + if (PR_TRUE == first) { + if (ciphers_def[i].attr & mask) { + set_cipher_value(cipher_list, i, -1); + } + } } } else if (!strcmp(cipher, "COMPLEMENTOFDEFAULT")) { found = PR_TRUE; @@ -374,6 +386,7 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis } } /* while */ if (PR_TRUE == merge) { + first = PR_FALSE; /* Merge the candidate list into the cipher list */ for (i=0; i