nss: do not enable AES cipher-suites by default
... but allow them to be enabled/disabled explicitly. The default policy should be maintained at the NSS level.
This commit is contained in:
Kamil Dudka
parent
4c599b9d2d
commit
b4f6cd46eb
@ -123,6 +123,10 @@ static const cipher_s cipherlist[] = {
|
|||||||
{"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA},
|
{"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA},
|
||||||
{"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA},
|
{"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA},
|
||||||
/* AES ciphers. */
|
/* AES ciphers. */
|
||||||
|
{"dhe_dss_aes_128_cbc_sha", TLS_DHE_DSS_WITH_AES_128_CBC_SHA},
|
||||||
|
{"dhe_dss_aes_256_cbc_sha", TLS_DHE_DSS_WITH_AES_256_CBC_SHA},
|
||||||
|
{"dhe_rsa_aes_128_cbc_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
|
||||||
|
{"dhe_rsa_aes_256_cbc_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
|
||||||
{"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA},
|
{"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA},
|
||||||
{"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA},
|
{"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA},
|
||||||
/* ECC ciphers. */
|
/* ECC ciphers. */
|
||||||
@ -153,18 +157,6 @@ static const cipher_s cipherlist[] = {
|
|||||||
{"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA},
|
{"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA},
|
||||||
};
|
};
|
||||||
|
|
||||||
/* following ciphers are new in NSS 3.4 and not enabled by default, therefore
|
|
||||||
they are enabled explicitly */
|
|
||||||
static const int enable_ciphers_by_default[] = {
|
|
||||||
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
|
|
||||||
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
|
|
||||||
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
|
|
||||||
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
|
|
||||||
TLS_RSA_WITH_AES_128_CBC_SHA,
|
|
||||||
TLS_RSA_WITH_AES_256_CBC_SHA,
|
|
||||||
SSL_NULL_WITH_NULL_NULL
|
|
||||||
};
|
|
||||||
|
|
||||||
static const char* pem_library = "libnsspem.so";
|
static const char* pem_library = "libnsspem.so";
|
||||||
SECMODModule* mod = NULL;
|
SECMODModule* mod = NULL;
|
||||||
|
|
||||||
@ -1294,7 +1286,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
|
|||||||
curl_socket_t sockfd = conn->sock[sockindex];
|
curl_socket_t sockfd = conn->sock[sockindex];
|
||||||
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||||
CURLcode curlerr;
|
CURLcode curlerr;
|
||||||
const int *cipher_to_enable;
|
|
||||||
PRSocketOptionData sock_opt;
|
PRSocketOptionData sock_opt;
|
||||||
long time_left;
|
long time_left;
|
||||||
PRUint32 timeout;
|
PRUint32 timeout;
|
||||||
@ -1396,16 +1387,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
|
|||||||
/* reset the flag to avoid an infinite loop */
|
/* reset the flag to avoid an infinite loop */
|
||||||
data->state.ssl_connect_retry = FALSE;
|
data->state.ssl_connect_retry = FALSE;
|
||||||
|
|
||||||
/* enable all ciphers from enable_ciphers_by_default */
|
|
||||||
cipher_to_enable = enable_ciphers_by_default;
|
|
||||||
while(SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) {
|
|
||||||
if(SSL_CipherPrefSet(model, *cipher_to_enable, PR_TRUE) != SECSuccess) {
|
|
||||||
curlerr = CURLE_SSL_CIPHER;
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
cipher_to_enable++;
|
|
||||||
}
|
|
||||||
|
|
||||||
if(data->set.ssl.cipher_list) {
|
if(data->set.ssl.cipher_list) {
|
||||||
if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
|
if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
|
||||||
curlerr = CURLE_SSL_CIPHER;
|
curlerr = CURLE_SSL_CIPHER;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user