Disable RC4 by default in the library

This commit is contained in:
Manuel Pégourié-Gonnard 2015-03-20 19:13:22 +00:00
parent 391af97a71
commit 849b174e57
3 changed files with 6 additions and 3 deletions

View File

@ -26,6 +26,7 @@ Changes
* Remove test program o_p_test, the script compat.sh does more. * Remove test program o_p_test, the script compat.sh does more.
* Remove test program ssl_test, superseded by ssl-opt.sh. * Remove test program ssl_test, superseded by ssl-opt.sh.
* Remove helper script active-config.pl * Remove helper script active-config.pl
* RC4 is now disabled by default in the SSL/TLS layer.
= mbed TLS 1.3 branch = mbed TLS 1.3 branch

View File

@ -1784,10 +1784,10 @@ void ssl_set_extended_master_secret( ssl_context *ssl, char ems );
/** /**
* \brief Disable or enable support for RC4 * \brief Disable or enable support for RC4
* (Default: SSL_ARC4_ENABLED) * (Default: SSL_ARC4_DISABLED)
* *
* \note Though the default is RC4 for compatibility reasons in the * \warning Use of RC4 in (D)TLS has been prohibited by RFC ????
* 1.3 branch, the recommended value is SSL_ARC4_DISABLED. * for security reasons. Use at your own risks.
* *
* \note This function will likely be removed in future versions as * \note This function will likely be removed in future versions as
* RC4 will then be disabled by default at compile time. * RC4 will then be disabled by default at compile time.

View File

@ -4908,6 +4908,8 @@ int ssl_init( ssl_context *ssl )
ssl_set_ciphersuites( ssl, ssl_list_ciphersuites() ); ssl_set_ciphersuites( ssl, ssl_list_ciphersuites() );
ssl_set_arc4_support( ssl, SSL_ARC4_DISABLED );
#if defined(POLARSSL_SSL_RENEGOTIATION) #if defined(POLARSSL_SSL_RENEGOTIATION)
ssl->renego_max_records = SSL_RENEGO_MAX_RECORDS_DEFAULT; ssl->renego_max_records = SSL_RENEGO_MAX_RECORDS_DEFAULT;
memset( ssl->renego_period, 0xFF, 7 ); memset( ssl->renego_period, 0xFF, 7 );