Created
November 22, 2018 11:11
-
-
Save kteru/667292b9c1d3c68604c15f7def738e71 to your computer and use it in GitHub Desktop.
Overwrite default set of TLSv1.3 ciphersuites
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- include/openssl/ssl.h.orig 2018-11-20 22:35:40.000000000 +0900 | |
+++ include/openssl/ssl.h 2018-11-22 19:52:15.000000000 +0900 | |
@@ -173,12 +173,12 @@ | |
# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" | |
/* This is the default set of TLSv1.3 ciphersuites */ | |
# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) | |
-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ | |
- "TLS_CHACHA20_POLY1305_SHA256:" \ | |
- "TLS_AES_128_GCM_SHA256" | |
+# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_128_GCM_SHA256:" \ | |
+ "TLS_AES_256_GCM_SHA384:" \ | |
+ "TLS_CHACHA20_POLY1305_SHA256" | |
# else | |
-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ | |
- "TLS_AES_128_GCM_SHA256" | |
+# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_128_GCM_SHA256:" \ | |
+ "TLS_AES_256_GCM_SHA384" | |
#endif | |
/* | |
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always |
Hi,
Yes, it also compatible with 1.1.1h.
But it may be better to set order in your openssl.cnf
.
e.g.
### openssl.cnf
openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Ciphersuites = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
Hi @kteru and thank you!
But, how to build OpenSSL from source code using this openssl.cnf
?
I build OpenSSL with:
./config --prefix=/opt/ssl --openssldir=/opt/ssl
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi.
Is this patch also compatible with OpenSSL version 1.1.1h?
Thanks!