Add ssl_set_arc4_support()
Rationale: if people want to disable RC4 but otherwise keep the default suite
list, it was cumbersome. Also, since it uses a global array,
ssl_list_ciphersuite() is not a convenient place. So the SSL modules look like
the best place, even if it means temporarily adding one SSL setting.
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 27abb3e..cf46080 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -588,6 +588,10 @@
ciphersuite_info->max_minor_ver < ssl->min_minor_ver )
continue;
+ if( ssl->arc4_disabled == SSL_ARC4_DISABLED &&
+ ciphersuite_info->cipher == POLARSSL_CIPHER_ARC4_128 )
+ continue;
+
SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
ciphersuites[i] ) );
@@ -879,6 +883,7 @@
unsigned char *buf, *ext;
int renegotiation_info_seen = 0;
int handshake_failure = 0;
+ const ssl_ciphersuite_t *suite_info;
#if defined(POLARSSL_DEBUG_C)
uint32_t t;
#endif
@@ -1059,6 +1064,16 @@
SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) );
SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) );
+ suite_info = ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
+ if( suite_info == NULL ||
+ ( ssl->arc4_disabled &&
+ suite_info->cipher == POLARSSL_CIPHER_ARC4_128 ) )
+ {
+ SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+ return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
+ }
+
+
i = 0;
while( 1 )
{