diff --git a/ChangeLog b/ChangeLog index e46a7633a..cba56d4aa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,7 @@ Changes * Remove test program o_p_test, the script compat.sh does more. * Remove test program ssl_test, superseded by ssl-opt.sh. * Remove helper script active-config.pl + * RC4 is now disabled by default in the SSL/TLS layer. = mbed TLS 1.3 branch diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 04388b25a..5ce118c20 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1784,10 +1784,10 @@ void ssl_set_extended_master_secret( ssl_context *ssl, char ems ); /** * \brief Disable or enable support for RC4 - * (Default: SSL_ARC4_ENABLED) + * (Default: SSL_ARC4_DISABLED) * - * \note Though the default is RC4 for compatibility reasons in the - * 1.3 branch, the recommended value is SSL_ARC4_DISABLED. + * \warning Use of RC4 in (D)TLS has been prohibited by RFC ???? + * for security reasons. Use at your own risks. * * \note This function will likely be removed in future versions as * RC4 will then be disabled by default at compile time. diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 88de5de9e..8f635a502 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4908,6 +4908,8 @@ int ssl_init( ssl_context *ssl ) ssl_set_ciphersuites( ssl, ssl_list_ciphersuites() ); + ssl_set_arc4_support( ssl, SSL_ARC4_DISABLED ); + #if defined(POLARSSL_SSL_RENEGOTIATION) ssl->renego_max_records = SSL_RENEGO_MAX_RECORDS_DEFAULT; memset( ssl->renego_period, 0xFF, 7 );