Disable invalid ciphersuites

2006-06-14 17:52:01 +00:00 · 2006-06-14 17:52:01 +00:00 · 0e73294e26
commit 0e73294e26
parent b610f46bae
4 changed files with 35 additions and 3 deletions
--- a/30
+++ b/30
@ -4,6 +4,21 @@

 Changes between 0.9.8b and 0.9.8c  [xx XXX xxxx]

+  *) Disable rogue ciphersuites:
+
+      - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
+      - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
+      - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
+
+     The latter two were purportedly from
+     draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
+     appear there.
+
+     Also deactive the remaining ciphersuites from
+     draft-ietf-tls-56-bit-ciphersuites-01.txt.  These are just as
+     unofficial, and the ID has long expired.
+     [Bodo Moeller]
+
  *) Fix RSA blinding Heisenbug (problems sometimes occured on
     dual-core machines) and other potential thread-safety issues.
     [Bodo Moeller]
@ -930,6 +945,21 @@

 Changes between 0.9.7j and 0.9.7k  [xx XXX xxxx]

+  *) Disable rogue ciphersuites:
+
+      - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
+      - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
+      - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
+
+     The latter two were purportedly from
+     draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
+     appear there.
+
+     Also deactive the remaining ciphersuites from
+     draft-ietf-tls-56-bit-ciphersuites-01.txt.  These are just as
+     unofficial, and the ID has long expired.
+     [Bodo Moeller]
+
  *) Fix RSA blinding Heisenbug (problems sometimes occured on
     dual-core machines) and other potential thread-safety issues.
     [Bodo Moeller]
--- a/ssl/s2_lib.c
+++ b/ssl/s2_lib.c
@ -178,7 +178,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
 	SSL_ALL_STRENGTHS,
 	},
 /* RC4_64_WITH_MD5 */
-#if 1
+#if 0
 	{
 	1,
 	SSL2_TXT_RC4_64_WITH_MD5,
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@ -986,7 +986,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 #endif /* OPENSSL_NO_CAMELLIA */

 #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
-	/* New TLS Export CipherSuites */
+	/* New TLS Export CipherSuites from expired ID */
+#if 0
 	/* Cipher 60 */
 	    {
 	    1,
@ -1013,6 +1014,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	    SSL_ALL_CIPHERS,
 	    SSL_ALL_STRENGTHS,
 	    },
+#endif
 	/* Cipher 62 */
 	    {
 	    1,
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@ -78,7 +78,7 @@
 extern "C" {
 #endif

-#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES	1
+#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES	0

 #define TLS1_VERSION			0x0301
 #define TLS1_VERSION_MAJOR		0x03