Add cipher suite settings for TLS ≥ 1.0.
This change adds the ability to configure ciphers specifically for
TLS ≥ 1.0. This compliments the existing ability to specify ciphers
for TLS ≥ 1.1.
This is useful because TLS 1.0 is the first version not to suffer from
POODLE. (Assuming that it's implemented correctly[1].) Thus one might
wish to reserve RC4 solely for SSLv3.
[1] https://www.imperialviolet.org/2014/12/08/poodleagain.html
Change-Id: I774d5336fead48f03d8a0a3cf80c369692ee60df
Reviewed-on: https://boringssl-review.googlesource.com/5793
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index b2eeb37..fee9523 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1081,6 +1081,11 @@
return s->ctx->cipher_list_tls11->ciphers;
}
+ if (s->version >= TLS1_VERSION && s->ctx != NULL &&
+ s->ctx->cipher_list_tls10 != NULL) {
+ return s->ctx->cipher_list_tls10->ciphers;
+ }
+
if (s->ctx != NULL && s->ctx->cipher_list != NULL) {
return s->ctx->cipher_list->ciphers;
}
@@ -1149,6 +1154,20 @@
return 1;
}
+int SSL_CTX_set_cipher_list_tls10(SSL_CTX *ctx, const char *str) {
+ STACK_OF(SSL_CIPHER) *sk;
+
+ sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list_tls10, NULL, str);
+ if (sk == NULL) {
+ return 0;
+ } else if (sk_SSL_CIPHER_num(sk) == 0) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
+ return 0;
+ }
+
+ return 1;
+}
+
int SSL_CTX_set_cipher_list_tls11(SSL_CTX *ctx, const char *str) {
STACK_OF(SSL_CIPHER) *sk;