From 6a3dcc9e0ffedace9dc5fc7ee878d7bd9a681dff Mon Sep 17 00:00:00 2001 From: Travis Cross Date: Wed, 5 Mar 2014 21:32:07 +0000 Subject: [PATCH] Drop null-auth suites from our default TLS cipher list Previously we disallowed anonymous Diffie-Hellman, but there are other kinds of null-authentication TLS suites. In particular, disallowing AECDH is important now that we support elliptic-curve Diffie-Hellman. --- libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c | 2 +- libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c index a63963b58e..07218159db 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c +++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c @@ -202,7 +202,7 @@ void tls_set_default(tls_issues_t *i) i->key = i->key ? i->key : i->cert; i->randFile = i->randFile ? i->randFile : "tls_seed.dat"; i->CAfile = i->CAfile ? i->CAfile : "cafile.pem"; - i->ciphers = i->ciphers ? i->ciphers : "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"; + i->ciphers = i->ciphers ? i->ciphers : "!eNULL:!aNULL:!EXP:!LOW:!MD5:ALL:@STRENGTH"; /* Default SIP cipher */ /* "RSA-WITH-AES-128-CBC-SHA"; */ /* RFC-2543-compatibility ciphersuite */ diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h index 47d330a146..74a8db6a15 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h +++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h @@ -61,7 +61,7 @@ typedef struct tls_issues_s { char *CAfile; /* PEM file of CA's */ char *CApath; /* PEM file path of CA's */ char *ciphers; /* Should be one of the above defined ciphers * - * or NULL (default: "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH + * or NULL (default: !eNULL:!aNULL:!EXP:!LOW:!MD5:ALL:@STRENGTH) */ int version; /* For tls1, version is 1. When ssl3/ssl2 is * used, it is 0. */