They should not be used anymore according to https://tools.ietf.org/html/rfc7465
and browser like Chrome, Firefox and Edge/IE [1] already removed them.
We should to do the same. To have everything in one place I also moved
the disabling of SSLv2/v3 to the mono_btls_ssl_ctx_new function as well
instead of disabling it on each single connection.
Fixes https://bugzilla.xamarin.com/show_bug.cgi?id=51625
[1] https://blogs.windows.com/msedgedev/2016/08/09/rc4-now-deprecated/
memset (ctx, 0, sizeof (MonoBtlsSslCtx));
ctx->references = 1;
ctx->ctx = SSL_CTX_new (TLS_method ());
+
+ // enable the default ciphers but disable any RC4 based ciphers
+ // since they're insecure: RFC 7465 "Prohibiting RC4 Cipher Suites"
+ SSL_CTX_set_cipher_list (ctx->ctx, "DEFAULT:!RC4");
+
+ // disable SSLv2 and SSLv3 by default, they are deprecated
+ // and should generally not be used according to the openssl docs
+ SSL_CTX_set_options (ctx->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+
return ctx;
}
ptr->ctx = mono_btls_ssl_ctx_up_ref (ctx);
ptr->ssl = SSL_new (mono_btls_ssl_ctx_get_ctx (ptr->ctx));
- SSL_set_options (ptr->ssl, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
-
return ptr;
}