From 8395c48df79d75ec9a1961db88bbc8f3bbd530eb Mon Sep 17 00:00:00 2001
From: corvid <devnull@localhost>
Date: Wed, 10 Jun 2015 22:08:12 +0000
Subject: https rm RC4 from cipher list

---
 dpi/https.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'dpi')

diff --git a/dpi/https.c b/dpi/https.c
index da75b9e8..545d6a9b 100644
--- a/dpi/https.c
+++ b/dpi/https.c
@@ -193,9 +193,11 @@ static void yes_ssl_support(void)
    if (exit_error == 0){
       /* Don't want: eNULL, which has no encryption; aNULL, which has no
        * authentication; LOW, which as of 2014 use 64 or 56-bit encryption;
-       * EXPORT40, which uses 40-bit encryption.
+       * EXPORT40, which uses 40-bit encryption; RC4, for which methods were
+       * found in 2013 to defeat it somewhat too easily.
        */
-      SSL_CTX_set_cipher_list(ssl_context, "ALL:!aNULL:!eNULL:!LOW:!EXPORT40");
+      SSL_CTX_set_cipher_list(ssl_context,
+                              "ALL:!aNULL:!eNULL:!LOW:!EXPORT40:!RC4");
 
       /* Need to do this if we want to have the option of dealing
        * with self-signed certs
-- 
cgit v1.2.3