fix #3391

4 files changed, 30 insertions, 29 deletions

diff --git a/ChangeLog b/ChangeLog
index 8fd5a41f..60424ad7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,8 @@ May  2 20:22:45 CEST 2014
         Fix possible issue from combination of epoll and suspend/resume
         logic if edge trigger event is lost; also simplify logic to
         maintain simpler invariants on the epoll state. -CG
+        Use OpenSSL cipher list "HIGH" in libmicrospdy (#3391). -CG
+        Releasing 0.9.35. -CG
 
 Thu Apr 10 09:39:38 CEST 2014
         Removed unescaping for URI path (#3371) as '+' should not
diff --git a/configure.ac b/configure.ac
index 361917a4..53db5bca 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,15 +22,15 @@
 #
 AC_PREREQ([2.60])
 LT_PREREQ([2.4.0])
-AC_INIT([libmicrohttpd],[0.9.34],[libmicrohttpd@gnu.org])
+AC_INIT([libmicrohttpd],[0.9.35],[libmicrohttpd@gnu.org])
 AM_INIT_AUTOMAKE([silent-rules] [subdir-objects])
 AC_CONFIG_HEADERS([MHD_config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AH_TOP([#define _GNU_SOURCE  1])
 
-LIB_VERSION_CURRENT=33
+LIB_VERSION_CURRENT=34
 LIB_VERSION_REVISION=0
-LIB_VERSION_AGE=23
+LIB_VERSION_AGE=24
 AC_SUBST(LIB_VERSION_CURRENT)
 AC_SUBST(LIB_VERSION_REVISION)
 AC_SUBST(LIB_VERSION_AGE)
@@ -508,7 +508,7 @@ then
       SAVE_LD_FLAGS="$LDFLAGS"
       LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
       LIBS="$OPENSSL_LIBS $LIBS"
-      AC_CHECK_FUNC([SSL_CTX_set_next_protos_advertised_cb], 
+      AC_CHECK_FUNC([SSL_CTX_set_next_protos_advertised_cb],
         [
           AC_CHECK_FUNC([SSL_library_init], [ have_openssl=yes ],[ have_openssl=no ])
         ],[ have_openssl=no ])
@@ -641,7 +641,7 @@ AC_ARG_WITH(gnutls,
         CPPFLAGS="-I$with_gnutls/include $CPPFLAGS"
         AC_CHECK_FILE([$with_gnutls/include/gnutls/gnutls.h],
           [AC_CHECK_HEADERS([gnutls/gnutls.h],
-            [AC_CHECK_LIB([gnutls], [gnutls_priority_set], 
+            [AC_CHECK_LIB([gnutls], [gnutls_priority_set],
               [
                 GNUTLS_CPPFLAGS="-I$with_gnutls/include"
                 GNUTLS_LDFLAGS="-L$with_gnutls/lib"
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h
index 46346097..61272790 100644
--- a/src/include/microhttpd.h
+++ b/src/include/microhttpd.h
@@ -130,7 +130,7 @@ typedef intptr_t ssize_t;
  * Current version of the library.
  * 0x01093001 = 1.9.30-1.
  */
-#define MHD_VERSION 0x00093401
+#define MHD_VERSION 0x00093500
 
 /**
  * MHD-internal return code for "YES".
diff --git a/src/microspdy/io_openssl.c b/src/microspdy/io_openssl.c
index 8dea5bb7..6a8b5cad 100644
--- a/src/microspdy/io_openssl.c
+++ b/src/microspdy/io_openssl.c
@@ -45,7 +45,7 @@ spdyf_next_protos_advertised_cb (SSL *ssl, const unsigned char **out, unsigned i
         (void)arg;
         static unsigned char npn_spdy3[] = {0x06, // length of "spdy/3"
                 0x73,0x70,0x64,0x79,0x2f,0x33};// spdy/3
-        
+
         *out = npn_spdy3;
         *outlen = 7; // total length of npn_spdy3
         return SSL_TLSEXT_ERR_OK;
@@ -87,8 +87,8 @@ SPDYF_openssl_init(struct SPDY_Daemon *daemon)
         //set options for tls
         //TODO DH is not enabled for easier debugging
     //SSL_CTX_set_options(daemon->io_context, SSL_OP_SINGLE_DH_USE);
-    
-    //TODO here session tickets are disabled for easier debuging with 
+
+    //TODO here session tickets are disabled for easier debuging with
     //wireshark when using Chrome
     // SSL_OP_NO_COMPRESSION disables TLS compression to avoid CRIME attack
     options = SSL_OP_NO_TICKET;
@@ -112,14 +112,13 @@ SPDYF_openssl_init(struct SPDY_Daemon *daemon)
                 return SPDY_NO;
         }
     SSL_CTX_set_next_protos_advertised_cb(daemon->io_context, &spdyf_next_protos_advertised_cb, NULL);
-        //TODO only RC4-SHA is used to make it easy to debug with wireshark
-    if (1 != SSL_CTX_set_cipher_list(daemon->io_context, "RC4-SHA"))
+    if (1 != SSL_CTX_set_cipher_list(daemon->io_context, "HIGH"))
     {
                 SPDYF_DEBUG("Couldn't set the desired cipher list");
                 SSL_CTX_free(daemon->io_context);
                 return SPDY_NO;
         }
-        
+
         return SPDY_YES;
 }
 
@@ -135,7 +134,7 @@ int
 SPDYF_openssl_new_session(struct SPDY_Session *session)
 {
         int ret;
-        
+
         if(NULL == (session->io_context = SSL_new(session->daemon->io_context)))
     {
                 SPDYF_DEBUG("Couldn't create ssl structure");
@@ -148,7 +147,7 @@ SPDYF_openssl_new_session(struct SPDY_Session *session)
                 session->io_context = NULL;
                 return SPDY_NO;
         }
-        
+
         //for non-blocking I/O SSL_accept may return -1
         //and this function won't work
         if(1 != (ret = SSL_accept(session->io_context)))
@@ -158,11 +157,11 @@ SPDYF_openssl_new_session(struct SPDY_Session *session)
                 session->io_context = NULL;
                 return SPDY_NO;
         }
-        /* alternatively 
+        /* alternatively
         SSL_set_accept_state(session->io_context);
         * may be called and then the negotiation will be done on reading
         */
-        
+
         return SPDY_YES;
 }
 
@@ -176,7 +175,7 @@ SPDYF_openssl_close_session(struct SPDY_Session *session)
         //after that because the browsers don't seem to care much about
         //"close notify"
         SSL_shutdown(session->io_context);
-        
+
         SSL_free(session->io_context);
 }
 
@@ -187,7 +186,7 @@ SPDYF_openssl_recv(struct SPDY_Session *session,
                                 size_t size)
 {
         int ret;
-        int n = SSL_read(session->io_context, 
+        int n = SSL_read(session->io_context,
                                         buffer,
                                         size);
         //if(n > 0) SPDYF_DEBUG("recvd: %i",n);
@@ -198,15 +197,15 @@ SPDYF_openssl_recv(struct SPDY_Session *session,
                 {
                         case SSL_ERROR_ZERO_RETURN:
                                 return 0;
-                                
+
                         case SSL_ERROR_WANT_READ:
                         case SSL_ERROR_WANT_WRITE:
                                 return SPDY_IO_ERROR_AGAIN;
-                                
+
                         case SSL_ERROR_SYSCALL:
                                 if(EINTR == errno)
                                         return SPDY_IO_ERROR_AGAIN;
-                                
+
                         default:
                                 return SPDY_IO_ERROR_ERROR;
                 }
@@ -222,8 +221,8 @@ SPDYF_openssl_send(struct SPDY_Session *session,
                                 size_t size)
 {
         int ret;
-        
-        int n = SSL_write(session->io_context, 
+
+        int n = SSL_write(session->io_context,
                                         buffer,
                                         size);
         //if(n > 0) SPDYF_DEBUG("sent: %i",n);
@@ -234,20 +233,20 @@ SPDYF_openssl_send(struct SPDY_Session *session,
                 {
                         case SSL_ERROR_ZERO_RETURN:
                                 return 0;
-                                
+
                         case SSL_ERROR_WANT_READ:
                         case SSL_ERROR_WANT_WRITE:
                                 return SPDY_IO_ERROR_AGAIN;
-                                
+
                         case SSL_ERROR_SYSCALL:
                                 if(EINTR == errno)
                                         return SPDY_IO_ERROR_AGAIN;
-                                
+
                         default:
                                 return SPDY_IO_ERROR_ERROR;
                 }
         }
-        
+
         return n;
 }
 
@@ -267,7 +266,7 @@ int
 SPDYF_openssl_before_write(struct SPDY_Session *session)
 {
   (void)session;
-  
+
   return SPDY_YES;
 }
 
@@ -276,6 +275,6 @@ int
 SPDYF_openssl_after_write(struct SPDY_Session *session, int was_written)
 {
   (void)session;
-  
+
   return was_written;
 }