X-Git-Url: http://sjero.net/git/?p=wget;a=blobdiff_plain;f=src%2Fopenssl.c;h=7c92ac0bcb1c80908abb5ea2fce91e49335227dc;hp=e2eec4f7c2932b704fd5cd63e0ed48a735f15813;hb=e505664ef3fd26330ceb24778e6a3a3905e1ca10;hpb=e6123ed6458893f418d5ae2abba3d251080f99c5

diff --git a/src/openssl.c b/src/openssl.c
index e2eec4f7..7c92ac0b 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -194,6 +194,7 @@ ssl_init (void)
     case secure_protocol_sslv3:
       meth = SSLv3_client_method ();
       break;
+    case secure_protocol_pfs:
     case secure_protocol_tlsv1:
       meth = TLSv1_client_method ();
       break;
@@ -207,6 +208,12 @@ ssl_init (void)
   if (!ssl_ctx)
     goto error;
 
+  /* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html
+   * Since we want a good protection, we also use HIGH (that excludes MD4 ciphers and some more)
+   */
+  if (opt.secure_protocol == secure_protocol_pfs)
+    SSL_CTX_set_cipher_list (ssl_ctx, "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:!aNULL@STRENGTH");
+
   SSL_CTX_set_default_verify_paths (ssl_ctx);
   SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);