diff options
author | Bodo Möller <bodo@openssl.org> | 2007-02-20 16:36:58 +0000 |
---|---|---|
committer | Bodo Möller <bodo@openssl.org> | 2007-02-20 16:36:58 +0000 |
commit | fd5bc65cc889848100ef47436e31da82604b38e6 (patch) | |
tree | dcbe254ab1bcb9ca57bad0b07b54f5cd5a835ef2 /CHANGES | |
parent | e041863905bc2222214d1f0503a560ef2f43b2f8 (diff) | |
download | openssl-fd5bc65cc889848100ef47436e31da82604b38e6.tar.gz |
Improve ciphersuite order stability when disabling ciphersuites.
Change ssl_create_cipher_list() to prefer ephemeral ECDH over
ephemeral DH.
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 21 |
1 files changed, 21 insertions, 0 deletions
@@ -4,6 +4,27 @@ Changes between 0.9.8e and 0.9.9 [xx XXX xxxx] + *) Change ssl_cipher_apply_rule(), the internal function that does + the work each time a ciphersuite string requests enabling + ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or + removing ("!foo+bar") a class of ciphersuites: Now it maintains + the order of disabled ciphersuites such that those ciphersuites + that most recently went from enabled to disabled not only stay + in order with respect to each other, but also have higher priority + than other disabled ciphersuites the next time ciphersuites are + enabled again. + + This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable + the same ciphersuites as with "HIGH" alone, but in a specific + order where the PSK ciphersuites come first (since they are the + most recently disabled ciphersuites when "HIGH" is parsed). + + Also, change ssl_create_cipher_list() (using this new + funcionality) such that between otherwise identical + cihpersuites, ephemeral ECDH is preferred over ephemeral DH in + the default order. + [Bodo Moeller] + *) Change ssl_create_cipher_list() so that it automatically arranges the ciphersuites in reasonable order before starting to process the rule string. Thus, the definition for "DEFAULT" |