Add ssl_set_arc4_support()
Rationale: if people want to disable RC4 but otherwise keep the default suite
list, it was cumbersome. Also, since it uses a global array,
ssl_list_ciphersuite() is not a convenient place. So the SSL modules look like
the best place, even if it means temporarily adding one SSL setting.
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 4cabf7c..7943d14 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -238,6 +238,9 @@
#define SSL_SESSION_TICKETS_DISABLED 0
#define SSL_SESSION_TICKETS_ENABLED 1
+#define SSL_ARC4_ENABLED 0
+#define SSL_ARC4_DISABLED 1
+
/**
* \name SECTION: Module settings
*
@@ -697,6 +700,8 @@
int min_major_ver; /*!< min. major version used */
int min_minor_ver; /*!< min. minor version used */
+ char arc4_disabled; /*!< flag for disabling RC4 */
+
/*
* Callbacks (RNG, debug, I/O, verification)
*/
@@ -1385,6 +1390,21 @@
*/
void ssl_set_min_version( ssl_context *ssl, int major, int minor );
+/**
+ * \brief Disable or enable support for RC4
+ * (Default: SSL_ARC4_ENABLED)
+ *
+ * \note Though the default is RC4 for compatibility reasons in the
+ * 1.3 branch, the recommended value is SSL_ARC4_DISABLED.
+ *
+ * \note This function will likely be removed in future versions as
+ * RC4 will then be disabled by default at compile time.
+ *
+ * \param ssl SSL context
+ * \param arc4 SSL_ARC4_ENABLED or SSL_ARC4_DISABLED
+ */
+void ssl_set_arc4_support( ssl_context *ssl, char arc4 );
+
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
/**
* \brief Set the maximum fragment length to emit and/or negotiate