Description: disable ciphers vulnerable to CVE-2020-1968
Author: Marc Deslauriers <marc.deslauriers@canonical.com>

--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -373,6 +373,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
 #endif
 
 /* Cipher 0D */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
@@ -387,6 +388,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      112,
      168,
      },
+#endif
 
 /* Cipher 0E */
 #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
@@ -425,6 +427,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
 #endif
 
 /* Cipher 10 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
@@ -439,6 +442,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      112,
      168,
      },
+#endif
 
 /* The Ephemeral DH ciphers */
 /* Cipher 11 */
@@ -942,6 +946,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      128,
      },
 /* Cipher 30 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
@@ -956,7 +961,9 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      128,
      128,
      },
+#endif
 /* Cipher 31 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
@@ -971,6 +978,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      128,
      128,
      },
+#endif
 /* Cipher 32 */
     {
      1,
@@ -1033,6 +1041,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      256,
      },
 /* Cipher 36 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
@@ -1047,8 +1056,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      256,
      256,
      },
+#endif
 
 /* Cipher 37 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
@@ -1063,6 +1074,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      256,
      256,
      },
+#endif
 
 /* Cipher 38 */
     {
@@ -1162,6 +1174,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      },
 
     /* Cipher 3E */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_DH_DSS_WITH_AES_128_SHA256,
@@ -1176,8 +1189,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      128,
      128,
      },
+#endif
 
     /* Cipher 3F */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_DH_RSA_WITH_AES_128_SHA256,
@@ -1192,6 +1207,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      128,
      128,
      },
+#endif
 
     /* Cipher 40 */
     {
@@ -1229,6 +1245,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      },
 
     /* Cipher 42 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,
@@ -1243,8 +1260,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      128,
      128,
      },
+#endif
 
     /* Cipher 43 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,
@@ -1259,6 +1278,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      128,
      128,
      },
+#endif
 
     /* Cipher 44 */
     {
@@ -1452,6 +1472,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      },
 
     /* Cipher 68 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_DH_DSS_WITH_AES_256_SHA256,
@@ -1466,8 +1487,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      256,
      256,
      },
+#endif
 
     /* Cipher 69 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_DH_RSA_WITH_AES_256_SHA256,
@@ -1482,6 +1505,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      256,
      256,
      },
+#endif
 
     /* Cipher 6A */
     {
@@ -1621,6 +1645,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      256,
      },
     /* Cipher 85 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,
@@ -1635,8 +1660,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      256,
      256,
      },
+#endif
 
     /* Cipher 86 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,
@@ -1651,6 +1678,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      256,
      256,
      },
+#endif
 
     /* Cipher 87 */
     {
@@ -1787,6 +1815,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      },
 
     /* Cipher 97 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_DH_DSS_WITH_SEED_SHA,
@@ -1801,8 +1830,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      128,
      128,
      },
+#endif
 
     /* Cipher 98 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_DH_RSA_WITH_SEED_SHA,
@@ -1817,6 +1848,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      128,
      128,
      },
+#endif
 
     /* Cipher 99 */
     {
@@ -1935,6 +1967,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      },
 
     /* Cipher A0 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_DH_RSA_WITH_AES_128_GCM_SHA256,
@@ -1949,8 +1982,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      128,
      128,
      },
+#endif
 
     /* Cipher A1 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_DH_RSA_WITH_AES_256_GCM_SHA384,
@@ -1965,6 +2000,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      256,
      256,
      },
+#endif
 
     /* Cipher A2 */
     {
@@ -1999,6 +2035,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      },
 
     /* Cipher A4 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256,
@@ -2013,8 +2050,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      128,
      128,
      },
+#endif
 
     /* Cipher A5 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
      TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384,
@@ -2029,6 +2068,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
      256,
      256,
      },
+#endif
 
     /* Cipher A6 */
     {