From 063ad1c8b629318288223792c0ca7ab3f991f3e6 Mon Sep 17 00:00:00 2001
From: Antonio Larrosa <alarrosa@suse.com>
Date: Wed, 10 Feb 2016 17:20:35 +0100
Subject: Don't include by default ciphers that are not supported

There could be cases (mostly when compiled on old systems, since modern
openssl versions don't include such insecure ciphers) in which
defaultCiphers included a cipher that wasn't in the supported ciphers
list. With this patch we make sure that defaultCiphers is a subset of
supportedCiphers

Change-Id: I545ea21f5fd3a6ed13b366cdd56a1393233f9fc9
Reviewed-by: Richard J. Moore <rich@kde.org>
---
 src/network/ssl/qsslsocket_openssl.cpp | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'src/network/ssl/qsslsocket_openssl.cpp')

diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index 244d4bbebf..8caa56ee5b 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -643,10 +643,12 @@ void QSslSocketPrivate::resetDefaultCiphers()
                 // Unconditionally exclude ADH and AECDH ciphers since they offer no MITM protection
                 if (!ciph.name().toLower().startsWith(QLatin1String("adh")) &&
                     !ciph.name().toLower().startsWith(QLatin1String("exp-adh")) &&
-                    !ciph.name().toLower().startsWith(QLatin1String("aecdh")))
+                    !ciph.name().toLower().startsWith(QLatin1String("aecdh"))) {
                     ciphers << ciph;
-                if (ciph.usedBits() >= 128)
-                    defaultCiphers << ciph;
+
+                    if (ciph.usedBits() >= 128)
+                        defaultCiphers << ciph;
+                }
             }
         }
     }
-- 
cgit v1.2.3