Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Overwrite default set of TLSv1.3 ciphersuites
--- include/openssl/ssl.h.orig 2018-11-20 22:35:40.000000000 +0900
+++ include/openssl/ssl.h 2018-11-22 19:52:15.000000000 +0900
@@ -173,12 +173,12 @@
# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
/* This is the default set of TLSv1.3 ciphersuites */
# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
- "TLS_CHACHA20_POLY1305_SHA256:" \
- "TLS_AES_128_GCM_SHA256"
+# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_128_GCM_SHA256:" \
+ "TLS_AES_256_GCM_SHA384:" \
+ "TLS_CHACHA20_POLY1305_SHA256"
# else
-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
- "TLS_AES_128_GCM_SHA256"
+# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_128_GCM_SHA256:" \
+ "TLS_AES_256_GCM_SHA384"
#endif
/*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
@iz8mbw

This comment has been minimized.

Copy link

@iz8mbw iz8mbw commented Sep 30, 2020

Hi.
Is this patch also compatible with OpenSSL version 1.1.1h?
Thanks!

@kteru

This comment has been minimized.

Copy link
Owner Author

@kteru kteru commented Oct 15, 2020

@iz8mbw

Hi,

Yes, it also compatible with 1.1.1h.

But it may be better to set order in your openssl.cnf .

e.g.

### openssl.cnf

openssl_conf = default_conf

[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Ciphersuites = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
@iz8mbw

This comment has been minimized.

Copy link

@iz8mbw iz8mbw commented Oct 15, 2020

Hi @kteru and thank you!
But, how to build OpenSSL from source code using this openssl.cnf?
I build OpenSSL with:

./config --prefix=/opt/ssl --openssldir=/opt/ssl

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.