X-Git-Url: http://wien.tomnetworks.com/gitweb/?a=blobdiff_plain;f=mono%2Fbtls%2Fbtls-ssl-ctx.c;h=fa56fbd73ea7ed3e34ec0b809ac5683158f7eaf2;hb=HEAD;hp=1f9d43c536e790af0c3c5840bd1e5037b468d913;hpb=4c960e1dd530396fdd9400c87729a6ce3101e5c1;p=mono.git

diff --git a/mono/btls/btls-ssl-ctx.c b/mono/btls/btls-ssl-ctx.c
index 1f9d43c536e..fa56fbd73ea 100644
--- a/mono/btls/btls-ssl-ctx.c
+++ b/mono/btls/btls-ssl-ctx.c
@@ -64,6 +64,15 @@ mono_btls_ssl_ctx_new (void)
 	memset (ctx, 0, sizeof (MonoBtlsSslCtx));
 	ctx->references = 1;
 	ctx->ctx = SSL_CTX_new (TLS_method ());
+
+	// enable the default ciphers but disable any RC4 based ciphers
+	// since they're insecure: RFC 7465 "Prohibiting RC4 Cipher Suites"
+	SSL_CTX_set_cipher_list (ctx->ctx, "DEFAULT:!RC4");
+
+	// disable SSLv2 and SSLv3 by default, they are deprecated
+	// and should generally not be used according to the openssl docs
+	SSL_CTX_set_options (ctx->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+
 	return ctx;
 }