From 689fdc1d0b3711766d9688b5da1d4f0e8b2f8ff3 Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Tue, 28 Feb 2017 08:23:25 +0000 Subject: [PATCH] - For #1227: if we have sha256, set the cipher list to have no known vulns. git-svn-id: file:///svn/unbound/trunk@4030 be551aaa-1e26-0410-a405-d3ace91eadb9 --- daemon/remote.c | 5 ++++- doc/Changelog | 4 ++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/daemon/remote.c b/daemon/remote.c index abde9e4e6..b61dfaf1d 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -260,8 +260,11 @@ daemon_remote_create(struct config_file* cfg) return NULL; } #endif - if(!SSL_CTX_set_cipher_list(rc->ctx, "DEFAULT:!CAMELLIA128:!CAMELLIA256:!SEED:!IDEA:!RC4:!3DES:!DES:!MD5:!SHA:!sect283k1:!sect283r1:!sect409k1:!sect409r1:!sect571k1:!sect571r1:!secp256k1:!brainpoolP256r1:!brainpoolP384r1:!brainpoolP512r1")) +#ifdef SHA256_DIGEST_LENGTH + /* if we have sha256, set the cipher list to have no known vulns */ + if(!SSL_CTX_set_cipher_list(rc->ctx, "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256")) log_crypto_err("coult not set cipher list with SSL_CTX_set_cipher_list"); +#endif if (cfg->remote_control_use_cert == 0) { /* No certificates are requested */ diff --git a/doc/Changelog b/doc/Changelog index 24e08c95a..70f1fe8ee 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +28 February 2017: Wouter + - For #1227: if we have sha256, set the cipher list to have no + known vulns. + 27 February 2017: Wouter - Fix #1227: Fix that Unbound control allows weak ciphersuits. - Fix #1226: provide official 32bit binary for windows.