[glib-networking] openssl: Do not set cipher list by default
- From: Michael Catanzaro <mcatanzaro src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib-networking] openssl: Do not set cipher list by default
- Date: Fri, 30 Oct 2020 14:41:56 +0000 (UTC)
commit 2ede29bedfb9c4ed18f373d07623b398ae342cdc
Author: Anderson Toshiyuki Sasaki <ansasaki redhat com>
Date: Thu Oct 29 17:52:10 2020 +0100
openssl: Do not set cipher list by default
Previously, the cipher list was set as "HIGH:!DSS:!aNULL@STRENGTH" by
default. This made the OpenSSL backend to not follow the system-wide
crypto policies in systems like Fedora or RHEL.
With this change, the cipher list is only set when the environment
variable G_TLS_OPENSSL_CIPHER_LIST is specified.
Fixes #106
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki redhat com>
tls/openssl/gtlsclientconnection-openssl.c | 18 ++++++++----------
tls/openssl/gtlsserverconnection-openssl.c | 18 ++++++++----------
2 files changed, 16 insertions(+), 20 deletions(-)
---
diff --git a/tls/openssl/gtlsclientconnection-openssl.c b/tls/openssl/gtlsclientconnection-openssl.c
index 55772bc..a6b4e97 100644
--- a/tls/openssl/gtlsclientconnection-openssl.c
+++ b/tls/openssl/gtlsclientconnection-openssl.c
@@ -36,8 +36,6 @@
#include "gtlscertificate-openssl.h"
#include <glib/gi18n-lib.h>
-#define DEFAULT_CIPHER_LIST "HIGH:!DSS:!aNULL@STRENGTH"
-
struct _GTlsClientConnectionOpenssl
{
GTlsConnectionOpenssl parent_instance;
@@ -302,15 +300,15 @@ set_cipher_list (GTlsClientConnectionOpenssl *client,
const gchar *cipher_list, *proto;
cipher_list = g_getenv ("G_TLS_OPENSSL_CIPHER_LIST");
- if (!cipher_list)
- cipher_list = DEFAULT_CIPHER_LIST;
-
- if (!SSL_CTX_set_cipher_list (client->ssl_ctx, cipher_list))
+ if (cipher_list)
{
- g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
- _("Could not create TLS context: %s"),
- ERR_error_string (ERR_get_error (), NULL));
- return FALSE;
+ if (!SSL_CTX_set_cipher_list (client->ssl_ctx, cipher_list))
+ {
+ g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
+ _("Could not set TLS cipher list: %s"),
+ ERR_error_string (ERR_get_error (), NULL));
+ return FALSE;
+ }
}
proto = g_getenv ("G_TLS_OPENSSL_MAX_PROTO");
diff --git a/tls/openssl/gtlsserverconnection-openssl.c b/tls/openssl/gtlsserverconnection-openssl.c
index dda1146..a4ea30f 100644
--- a/tls/openssl/gtlsserverconnection-openssl.c
+++ b/tls/openssl/gtlsserverconnection-openssl.c
@@ -31,8 +31,6 @@
#include "openssl-include.h"
#include <glib/gi18n-lib.h>
-#define DEFAULT_CIPHER_LIST "HIGH:!DSS:!aNULL@STRENGTH"
-
struct _GTlsServerConnectionOpenssl
{
GTlsConnectionOpenssl parent_instance;
@@ -338,15 +336,15 @@ set_cipher_list (GTlsServerConnectionOpenssl *server,
const gchar *cipher_list, *proto;
cipher_list = g_getenv ("G_TLS_OPENSSL_CIPHER_LIST");
- if (!cipher_list)
- cipher_list = DEFAULT_CIPHER_LIST;
-
- if (!SSL_CTX_set_cipher_list (server->ssl_ctx, cipher_list))
+ if (cipher_list)
{
- g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
- _("Could not create TLS context: %s"),
- ERR_error_string (ERR_get_error (), NULL));
- return FALSE;
+ if (!SSL_CTX_set_cipher_list (server->ssl_ctx, cipher_list))
+ {
+ g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
+ _("Could not set TLS cipher list: %s"),
+ ERR_error_string (ERR_get_error (), NULL));
+ return FALSE;
+ }
}
proto = g_getenv ("G_TLS_OPENSSL_MAX_PROTO");
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]