[glib-networking] openssl: Do not set cipher list by default



commit 2ede29bedfb9c4ed18f373d07623b398ae342cdc
Author: Anderson Toshiyuki Sasaki <ansasaki redhat com>
Date:   Thu Oct 29 17:52:10 2020 +0100

    openssl: Do not set cipher list by default
    
    Previously, the cipher list was set as "HIGH:!DSS:!aNULL@STRENGTH" by
    default.  This made the OpenSSL backend to not follow the system-wide
    crypto policies in systems like Fedora or RHEL.
    
    With this change, the cipher list is only set when the environment
    variable G_TLS_OPENSSL_CIPHER_LIST is specified.
    
    Fixes #106
    
    Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki redhat com>

 tls/openssl/gtlsclientconnection-openssl.c | 18 ++++++++----------
 tls/openssl/gtlsserverconnection-openssl.c | 18 ++++++++----------
 2 files changed, 16 insertions(+), 20 deletions(-)
---
diff --git a/tls/openssl/gtlsclientconnection-openssl.c b/tls/openssl/gtlsclientconnection-openssl.c
index 55772bc..a6b4e97 100644
--- a/tls/openssl/gtlsclientconnection-openssl.c
+++ b/tls/openssl/gtlsclientconnection-openssl.c
@@ -36,8 +36,6 @@
 #include "gtlscertificate-openssl.h"
 #include <glib/gi18n-lib.h>
 
-#define DEFAULT_CIPHER_LIST "HIGH:!DSS:!aNULL@STRENGTH"
-
 struct _GTlsClientConnectionOpenssl
 {
   GTlsConnectionOpenssl parent_instance;
@@ -302,15 +300,15 @@ set_cipher_list (GTlsClientConnectionOpenssl  *client,
   const gchar *cipher_list, *proto;
 
   cipher_list = g_getenv ("G_TLS_OPENSSL_CIPHER_LIST");
-  if (!cipher_list)
-    cipher_list = DEFAULT_CIPHER_LIST;
-
-  if (!SSL_CTX_set_cipher_list (client->ssl_ctx, cipher_list))
+  if (cipher_list)
     {
-      g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
-                   _("Could not create TLS context: %s"),
-                   ERR_error_string (ERR_get_error (), NULL));
-      return FALSE;
+      if (!SSL_CTX_set_cipher_list (client->ssl_ctx, cipher_list))
+        {
+          g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
+                       _("Could not set TLS cipher list: %s"),
+                       ERR_error_string (ERR_get_error (), NULL));
+          return FALSE;
+        }
     }
 
   proto = g_getenv ("G_TLS_OPENSSL_MAX_PROTO");
diff --git a/tls/openssl/gtlsserverconnection-openssl.c b/tls/openssl/gtlsserverconnection-openssl.c
index dda1146..a4ea30f 100644
--- a/tls/openssl/gtlsserverconnection-openssl.c
+++ b/tls/openssl/gtlsserverconnection-openssl.c
@@ -31,8 +31,6 @@
 #include "openssl-include.h"
 #include <glib/gi18n-lib.h>
 
-#define DEFAULT_CIPHER_LIST "HIGH:!DSS:!aNULL@STRENGTH"
-
 struct _GTlsServerConnectionOpenssl
 {
   GTlsConnectionOpenssl parent_instance;
@@ -338,15 +336,15 @@ set_cipher_list (GTlsServerConnectionOpenssl  *server,
   const gchar *cipher_list, *proto;
 
   cipher_list = g_getenv ("G_TLS_OPENSSL_CIPHER_LIST");
-  if (!cipher_list)
-    cipher_list = DEFAULT_CIPHER_LIST;
-
-  if (!SSL_CTX_set_cipher_list (server->ssl_ctx, cipher_list))
+  if (cipher_list)
     {
-      g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
-                   _("Could not create TLS context: %s"),
-                   ERR_error_string (ERR_get_error (), NULL));
-      return FALSE;
+      if (!SSL_CTX_set_cipher_list (server->ssl_ctx, cipher_list))
+        {
+          g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
+                       _("Could not set TLS cipher list: %s"),
+                       ERR_error_string (ERR_get_error (), NULL));
+          return FALSE;
+        }
     }
 
   proto = g_getenv ("G_TLS_OPENSSL_MAX_PROTO");


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]