[btls] Disable RC4 cipher suites by default

They should not be used anymore according to https://tools.ietf.org/html/rfc7465
and browser like Chrome, Firefox and Edge/IE [1] already removed them.

We should to do the same. To have everything in one place I also moved
the disabling of SSLv2/v3 to the mono_btls_ssl_ctx_new function as well
instead of disabling it on each single connection.

Fixes https://bugzilla.xamarin.com/show_bug.cgi?id=51625

[1] https://blogs.windows.com/msedgedev/2016/08/09/rc4-now-deprecated/

diff --git a/mono/btls/btls-ssl-ctx.c b/mono/btls/btls-ssl-ctx.c
index 1f9d43c536e790af0c3c5840bd1e5037b468d913..fa56fbd73ea7ed3e34ec0b809ac5683158f7eaf2 100644 (file)
--- a/mono/btls/btls-ssl-ctx.c
+++ b/mono/btls/btls-ssl-ctx.c
@@ -64,6 +64,15 @@ mono_btls_ssl_ctx_new (void)
        memset (ctx, 0, sizeof (MonoBtlsSslCtx));
        ctx->references = 1;
        ctx->ctx = SSL_CTX_new (TLS_method ());
+
+       // enable the default ciphers but disable any RC4 based ciphers
+       // since they're insecure: RFC 7465 "Prohibiting RC4 Cipher Suites"
+       SSL_CTX_set_cipher_list (ctx->ctx, "DEFAULT:!RC4");
+
+       // disable SSLv2 and SSLv3 by default, they are deprecated
+       // and should generally not be used according to the openssl docs
+       SSL_CTX_set_options (ctx->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+
        return ctx;
 }
 

diff --git a/mono/btls/btls-ssl.c b/mono/btls/btls-ssl.c
index dda74ec4b5eae5788dd0015565be95f576f9ef5c..eca323ce2ae27a194018f0180f89131d3a34443d 100644 (file)
--- a/mono/btls/btls-ssl.c
+++ b/mono/btls/btls-ssl.c
@@ -36,8 +36,6 @@ mono_btls_ssl_new (MonoBtlsSslCtx *ctx)
        ptr->ctx = mono_btls_ssl_ctx_up_ref (ctx);
        ptr->ssl = SSL_new (mono_btls_ssl_ctx_get_ctx (ptr->ctx));
 
-       SSL_set_options (ptr->ssl, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
-
        return ptr;
 }