Remove export static DH ciphersuites

Remove support for the two export grade static DH ciphersuites. These two ciphersuites were newly added (along with a number of other static DH ciphersuites) to 1.0.2. However the two export ones have *never* worked since they were introduced. It seems strange in any case to be adding new export ciphersuites, and given "logjam" it also does not seem correct to fix them. Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-22 13:33:19 +01:00 · 2015-05-22 13:33:19 +01:00 · 13f8eb4730
commit 13f8eb4730
parent efee575ad4
3 changed files with 10 additions and 4 deletions
--- a/8
+++ b/8
@ -9,6 +9,14 @@
     not well tested). Therefore the OPENSSL_NO_TLSEXT option has been removed.
     [Matt Caswell]

+  *) Removed support for the two export grade static DH ciphersuites
+     EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
+     were newly added (along with a number of other static DH ciphersuites) to
+     1.0.2. However the two export ones have *never* worked since they were
+     introduced. It seems strange in any case to be adding new export
+     ciphersuites, and given "logjam" it also does not seem correct to fix them.
+     [Matt Caswell]
+
  *) Version negotiation has been rewritten. In particular SSLv23_method(),
     SSLv23_client_method() and SSLv23_server_method() have been deprecated,
     and turned into macros which simply call the new preferred function names
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@ -365,10 +365,8 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
 SSL_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA
 SSL_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA

- SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA    EXP-DH-DSS-DES-CBC-SHA
 SSL_DH_DSS_WITH_DES_CBC_SHA             DH-DSS-DES-CBC-SHA
 SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA        DH-DSS-DES-CBC3-SHA
- SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA    EXP-DH-RSA-DES-CBC-SHA
 SSL_DH_RSA_WITH_DES_CBC_SHA             DH-RSA-DES-CBC-SHA
 SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA        DH-RSA-DES-CBC3-SHA
 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   EXP-DHE-DSS-DES-CBC-SHA
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@ -330,7 +330,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
 /* The DH ciphers */
 /* Cipher 0B */
    {
-     1,
+     0,
     SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
     SSL3_CK_DH_DSS_DES_40_CBC_SHA,
     SSL_kDHd,
@ -378,7 +378,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {

 /* Cipher 0E */
    {
-     1,
+     0,
     SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
     SSL3_CK_DH_RSA_DES_40_CBC_SHA,
     SSL_kDHr,