Disable RC4 by default in the library

2015-03-20 19:13:22 +00:00 · 2015-03-20 19:13:22 +00:00 · 849b174e57
commit 849b174e57
parent 391af97a71
3 changed files with 6 additions and 3 deletions
--- a/1
+++ b/1
@ -26,6 +26,7 @@ Changes
   * Remove test program o_p_test, the script compat.sh does more.
   * Remove test program ssl_test, superseded by ssl-opt.sh.
   * Remove helper script active-config.pl
+   * RC4 is now disabled by default in the SSL/TLS layer.

 = mbed TLS 1.3 branch

--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -1784,10 +1784,10 @@ void ssl_set_extended_master_secret( ssl_context *ssl, char ems );

 /**
 * \brief          Disable or enable support for RC4
- *                 (Default: SSL_ARC4_ENABLED)
+ *                 (Default: SSL_ARC4_DISABLED)
 *
- * \note           Though the default is RC4 for compatibility reasons in the
- *                 1.3 branch, the recommended value is SSL_ARC4_DISABLED.
+ * \warning        Use of RC4 in (D)TLS has been prohibited by RFC ????
+ *                 for security reasons. Use at your own risks.
 *
 * \note           This function will likely be removed in future versions as
 *                 RC4 will then be disabled by default at compile time.
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -4908,6 +4908,8 @@ int ssl_init( ssl_context *ssl )

    ssl_set_ciphersuites( ssl, ssl_list_ciphersuites() );

+    ssl_set_arc4_support( ssl, SSL_ARC4_DISABLED );
+
 #if defined(POLARSSL_SSL_RENEGOTIATION)
    ssl->renego_max_records = SSL_RENEGO_MAX_RECORDS_DEFAULT;
    memset( ssl->renego_period, 0xFF, 7 );