AU: Restrict SSL ciphers to HIGH in official builds.

libcurl_http_fetcher.cc

Index: libcurl_http_fetcher.cc
diff --git a/libcurl_http_fetcher.cc b/libcurl_http_fetcher.cc
index 8af9d455bf64386b9f19e85df176cb346e17338e..d5358bd252118b90efa4fd8219192c51d2cf77ca 100644
--- a/libcurl_http_fetcher.cc
+++ b/libcurl_http_fetcher.cc
@@ -101,20 +101,24 @@ void LibcurlHttpFetcher::ResumeTransfer(const std::string& url) {
   CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_MAXREDIRS, kMaxRedirects),
            CURLE_OK);
 
-  // Makes sure that peer certificate verification is enabled and restricts the
-  // set of trusted certificates.
-  CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_SSL_VERIFYPEER, 1), CURLE_OK);
-  CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_CAPATH, kCACertificatesPath),
-           CURLE_OK);
-
-  // Restrict protocols to HTTPS in official builds.
+  // Security lock-down in official builds: makes sure that peer certificate
+  // verification is enabled, restricts the set of trusted certificates,
+  // restricts protocols to HTTPS, restricts ciphers to HIGH.
   if (IsOfficialBuild()) {
+    CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_SSL_VERIFYPEER, 1),
+             CURLE_OK);
+    CHECK_EQ(curl_easy_setopt(curl_handle_,
+                              CURLOPT_CAPATH,
+                              kCACertificatesPath),
+             CURLE_OK);
     CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS),
              CURLE_OK);
     CHECK_EQ(curl_easy_setopt(curl_handle_,
                               CURLOPT_REDIR_PROTOCOLS,
                               CURLPROTO_HTTPS),
              CURLE_OK);
+    CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_SSL_CIPHER_LIST, "HIGH"),
+             CURLE_OK);
   }
 
   CHECK_EQ(curl_multi_add_handle(curl_multi_handle_, curl_handle_), CURLM_OK);