Index: openssl-3.0.0-alpha7/ssl/ssl_ciph.c =================================================================== --- openssl-3.0.0-alpha7.orig/ssl/ssl_ciph.c +++ openssl-3.0.0-alpha7/ssl/ssl_ciph.c @@ -1592,7 +1592,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ */ ok = 1; rule_p = rule_str; - if (strncmp(rule_str, "DEFAULT", 7) == 0) { + if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) { + ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST, + &head, &tail, ca_list, c); + rule_p += 12; + if (*rule_p == ':') + rule_p++; + } + else if (strncmp(rule_str, "DEFAULT", 7) == 0) { ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(), &head, &tail, ca_list, c); rule_p += 7; Index: openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t =================================================================== --- /dev/null +++ openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t @@ -0,0 +1,23 @@ +#! /usr/bin/env perl + +use strict; +use warnings; + +use OpenSSL::Test qw/:DEFAULT/; +use OpenSSL::Test::Utils; + +setup("test_default_ciphersuites"); + +plan tests => 6; + +my @cipher_suites = ("DEFAULT_SUSE", "DEFAULT"); + +foreach my $cipherlist (@cipher_suites) { + ok(run(app(["openssl", "ciphers", "-s", $cipherlist])), + "openssl ciphers works with ciphersuite $cipherlist"); + ok(!grep(/(MD5|RC4|DES)/, run(app(["openssl", "ciphers", "-s", $cipherlist]), capture => 1)), + "$cipherlist shouldn't contain MD5, DES or RC4\n"); + ok(grep(/(TLSv1.3)/, run(app(["openssl", "ciphers", "-tls1_3", "-s", "-v", $cipherlist]), capture => 1)), + "$cipherlist should contain TLSv1.3 ciphers\n"); +} + Index: openssl-3.0.0-alpha7/include/openssl/ssl.h.in =================================================================== --- openssl-3.0.0-alpha7.orig/include/openssl/ssl.h.in +++ openssl-3.0.0-alpha7/include/openssl/ssl.h.in @@ -189,6 +189,11 @@ extern "C" { */ # ifndef OPENSSL_NO_DEPRECATED_3_0 # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" +# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\ + "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\ + "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\ + "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\ + "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA" /* * This is the default set of TLSv1.3 ciphersuites * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()