Don't set default ciphers for OpenSSL client sockets

It should be up to the OS to set the default ciphers, eg. if a cipher suddenly is deemed insecure or there's a reason to have another cipher order, such as ChaCha over any AES cipher because of lack of hardware support. Currently Crystal will expose up-to-date OS to security considirations because of hard coded cipher lists, that might not be so up to date, unless the application is recompiled with a modern Crystal version. And because all intermediate ciphers are secure, the server should allow the client to choose cipher, as recommended by https://wiki.mozilla.org/Security/Server_Side_TLS
crystal-lang · Jul 22, 2023 · 015ec87 · 015ec87
1 parent 609e129
commit 015ec87
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 4 deletions.
diff --git a/spec/std/openssl/ssl/context_spec.cr b/spec/std/openssl/ssl/context_spec.cr
@@ -32,7 +32,6 @@ describe OpenSSL::SSL::Context do
     (context.options & OpenSSL::SSL::Options::NO_SESSION_RESUMPTION_ON_RENEGOTIATION).should eq(OpenSSL::SSL::Options::NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
     (context.options & OpenSSL::SSL::Options::SINGLE_ECDH_USE).should eq(OpenSSL::SSL::Options::SINGLE_ECDH_USE)
     (context.options & OpenSSL::SSL::Options::SINGLE_DH_USE).should eq(OpenSSL::SSL::Options::SINGLE_DH_USE)
-    (context.options & OpenSSL::SSL::Options::CIPHER_SERVER_PREFERENCE).should eq(OpenSSL::SSL::Options::CIPHER_SERVER_PREFERENCE)
     {% if compare_versions(LibSSL::OPENSSL_VERSION, "1.1.0") >= 0 %}
       (context.options & OpenSSL::SSL::Options::NO_RENEGOTIATION).should eq(OpenSSL::SSL::Options::NO_RENEGOTIATION)
     {% end %}

diff --git a/src/openssl/ssl/context.cr b/src/openssl/ssl/context.cr
@@ -49,8 +49,6 @@ abstract class OpenSSL::SSL::Context
       {% if LibSSL.has_method?(:x509_verify_param_lookup) %}
         self.default_verify_param = "ssl_server"
       {% end %}
-
-      self.ciphers = CIPHERS_OLD
     end
 
     # Returns a new TLS client context with only the given method set.
@@ -133,7 +131,6 @@ abstract class OpenSSL::SSL::Context
     def initialize(method : LibSSL::SSLMethod = Context.default_method)
       super(method)
 
-      add_options(OpenSSL::SSL::Options::CIPHER_SERVER_PREFERENCE)
       {% if LibSSL.has_method?(:x509_verify_param_lookup) %}
         self.default_verify_param = "ssl_client"
       {% end %}