Index: openssl-1.1.1/ssl/ssl_ciph.c =================================================================== --- openssl-1.1.1.orig/ssl/ssl_ciph.c 2018-09-11 14:48:23.000000000 +0200 +++ openssl-1.1.1/ssl/ssl_ciph.c 2018-09-11 16:38:40.412543331 +0200 @@ -1567,7 +1567,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ */ ok = 1; rule_p = rule_str; - if (strncmp(rule_str, "DEFAULT", 7) == 0) { + if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) { + ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST, + &head, &tail, ca_list, c); + rule_p += 12; + if (*rule_p == ':') + rule_p++; + } + else if (strncmp(rule_str, "DEFAULT", 7) == 0) { ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, &head, &tail, ca_list, c); rule_p += 7; Index: openssl-1.1.1/include/openssl/ssl.h =================================================================== --- openssl-1.1.1.orig/include/openssl/ssl.h 2018-09-11 14:48:23.000000000 +0200 +++ openssl-1.1.1/include/openssl/ssl.h 2018-09-11 16:45:20.979303981 +0200 @@ -171,6 +171,11 @@ extern "C" { * This applies to ciphersuites for TLSv1.2 and below. */ # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" +# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\ + "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\ + "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\ + "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\ + "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA" /* This is the default set of TLSv1.3 ciphersuites */ # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ Index: openssl-1.1.1/test/recipes/99-test_suse_default_ciphers.t =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.1/test/recipes/99-test_suse_default_ciphers.t 2018-09-11 16:38:23.292423281 +0200 @@ -0,0 +1,23 @@ +#! /usr/bin/env perl + +use strict; +use warnings; + +use OpenSSL::Test qw/:DEFAULT/; +use OpenSSL::Test::Utils; + +setup("test_default_ciphersuites"); + +plan tests => 6; + +my @cipher_suites = ("DEFAULT_SUSE", "DEFAULT"); + +foreach my $cipherlist (@cipher_suites) { + ok(run(app(["openssl", "ciphers", "-s", $cipherlist])), + "openssl ciphers works with ciphersuite $cipherlist"); + ok(!grep(/(MD5|RC4|DES)/, run(app(["openssl", "ciphers", "-s", $cipherlist]), capture => 1)), + "$cipherlist shouldn't contain MD5, DES or RC4\n"); + ok(grep(/(TLSv1.3)/, run(app(["openssl", "ciphers", "-tls1_3", "-s", "-v", $cipherlist]), capture => 1)), + "$cipherlist should contain TLSv1.3 ciphers\n"); +} +