Add new cipherlist-setting APIs that reject nonsense. The new APIs are SSL_CTX_set_strict_cipher_list() and SSL_set_strict_cipher_list(). They have two motivations: First, typos in cipher lists can go undetected for a long time, and can have surprising consequences when silently ignored. Second, there is a tendency to use superstition in the construction of cipher lists, for example by "turning off" things that do not actually exist. This leads to the corrosive belief that DEFAULT and ALL ought not to be trusted. This belief is false. Change-Id: I42909b69186e0b4cf45457e5c0bc968f6bbf231a Reviewed-on: https://boringssl-review.googlesource.com/13925 Commit-Queue: Matt Braithwaite <mab@google.com> Reviewed-by: Matt Braithwaite <mab@google.com>

commit: a57dcfb69c475b13f8675f6bfbe2f2cf8dad3667 [log] [tgz]
author: Matthew Braithwaite <mab@google.com> Fri Feb 17 22:08:23 2017 -0800
committer: Matt Braithwaite <mab@google.com> Wed Feb 22 00:09:27 2017 +0000
tree: 8ad2d291ee4d13ae7c9a6cbb105dc54aea10120a
parent: c4796c92e0aced2342ed5687201aea07189c3bc1 [diff] [blame]
diff --git a/tool/server.cc b/tool/server.cc
index f203df1..20c913c 100644
--- a/tool/server.cc
+++ b/tool/server.cc

@@ -188,7 +188,7 @@
   }
 
   if (args_map.count("-cipher") != 0 &&
-      !SSL_CTX_set_cipher_list(ctx.get(), args_map["-cipher"].c_str())) {
+      !SSL_CTX_set_strict_cipher_list(ctx.get(), args_map["-cipher"].c_str())) {
     fprintf(stderr, "Failed setting cipher list\n");
     return false;
   }
commit	a57dcfb69c475b13f8675f6bfbe2f2cf8dad3667	[log] [tgz]
author	Matthew Braithwaite <mab@google.com>	Fri Feb 17 22:08:23 2017 -0800
committer	Matt Braithwaite <mab@google.com>	Wed Feb 22 00:09:27 2017 +0000
tree	8ad2d291ee4d13ae7c9a6cbb105dc54aea10120a
parent	c4796c92e0aced2342ed5687201aea07189c3bc1 [diff] [blame]