1 By default even recent versions of OpenSSL support and accept both
2 "export strength" ciphers, small-bitsize ciphers as well as downright
5 This change sets a default cipher selection that tries to avoid the
6 worst ones, and subsequently it makes https://www.howsmyssl.com/a/check
7 no longer grade lynx/OpenSSL connects as 'Bad'.
9 This change will be passed upstream.
11 --- lynx2-8-8/WWW/Library/Implementation/HTTP.h.orig 2015-03-10 08:40:16.089217608 -0700
12 +++ lynx2-8-8/WWW/Library/Implementation/HTTP.h 2015-03-10 08:41:05.590224096 -0700
14 GLOBALREF HTProtocol HTTPS;
15 #endif /* GLOBALREF_IS_MACRO */
17 +#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4"
19 #define URL_GET_METHOD 1
20 #define URL_POST_METHOD 2
21 #define URL_MAIL_METHOD 3
22 --- lynx2-8-8/WWW/Library/Implementation/HTTP.c.orig 2015-03-10 08:40:31.459735465 -0700
23 +++ lynx2-8-8/WWW/Library/Implementation/HTTP.c 2015-03-10 08:53:29.358186971 -0700
26 SSL *HTGetSSLHandle(void)
30 #ifdef USE_GNUTLS_INCL
31 static char *certfile = NULL;
33 @@ -210,6 +210,8 @@ SSL *HTGetSSLHandle(void)
34 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) != NULL) {
35 /* Always disable SSLv2 & SSLv3 to "mitigate POODLE vulnerability". */
36 SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
37 + ciphers = (char *)DEFAULT_CIPHER_SELECTION;
38 + SSL_CTX_set_cipher_list(ssl_ctx, ciphers);
39 #ifdef SSL_OP_NO_COMPRESSION
40 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION);