Really disable 56-bit (single-DES) ciphers

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-12-06 00:35:06 -05:00 · 2015-12-06 00:35:06 -05:00 · 1c735804a2
commit 1c735804a2
parent 361a119127
2 changed files with 3 additions and 110 deletions
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@ -165,8 +165,9 @@ encryption.

 =item B<LOW>

-"low" encryption cipher suites, currently those using 64 or 56 bit encryption
-algorithms but excluding export cipher suites.
+"low" encryption cipher suites, currently those using 64 or 56 bit
+encryption algorithms but excluding export cipher suites.  All these
+ciphersuites have been removed as of OpenSSL 1.1.0.

 =item B<eNULL>, B<NULL>

@ -378,20 +379,14 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
 SSL_RSA_WITH_RC4_128_MD5                RC4-MD5
 SSL_RSA_WITH_RC4_128_SHA                RC4-SHA
 SSL_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA
- SSL_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA
 SSL_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA

- SSL_DH_DSS_WITH_DES_CBC_SHA             DH-DSS-DES-CBC-SHA
 SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA        DH-DSS-DES-CBC3-SHA
- SSL_DH_RSA_WITH_DES_CBC_SHA             DH-RSA-DES-CBC-SHA
 SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA        DH-RSA-DES-CBC3-SHA
- SSL_DHE_DSS_WITH_DES_CBC_SHA            DHE-DSS-CBC-SHA
 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA       DHE-DSS-DES-CBC3-SHA
- SSL_DHE_RSA_WITH_DES_CBC_SHA            DHE-RSA-DES-CBC-SHA
 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA       DHE-RSA-DES-CBC3-SHA

 SSL_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
- SSL_DH_anon_WITH_DES_CBC_SHA            ADH-DES-CBC-SHA
 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA

 SSL_FORTEZZA_KEA_WITH_NULL_SHA          Not implemented.
@ -405,20 +400,14 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
 TLS_RSA_WITH_RC4_128_MD5                RC4-MD5
 TLS_RSA_WITH_RC4_128_SHA                RC4-SHA
 TLS_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA
- TLS_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA
 TLS_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA

- TLS_DH_DSS_WITH_DES_CBC_SHA             Not implemented.
 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA        Not implemented.
- TLS_DH_RSA_WITH_DES_CBC_SHA             Not implemented.
 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA        Not implemented.
- TLS_DHE_DSS_WITH_DES_CBC_SHA            DHE-DSS-CBC-SHA
 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA       DHE-DSS-DES-CBC3-SHA
- TLS_DHE_RSA_WITH_DES_CBC_SHA            DHE-RSA-DES-CBC-SHA
 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       DHE-RSA-DES-CBC3-SHA

 TLS_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
- TLS_DH_anon_WITH_DES_CBC_SHA            ADH-DES-CBC-SHA
 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA

 =head2 AES ciphersuites from RFC3268, extending TLS v1.0
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@ -245,22 +245,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
     },
 #endif

-/* Cipher 09 */
-    {
-     1,
-     SSL3_TXT_RSA_DES_64_CBC_SHA,
-     SSL3_CK_RSA_DES_64_CBC_SHA,
-     SSL_kRSA,
-     SSL_aRSA,
-     SSL_DES,
-     SSL_SHA1,
-     SSL_SSLV3,
-     SSL_NOT_DEFAULT | SSL_LOW,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     56,
-     56,
-     },
-
 /* Cipher 0A */
    {
     1,
@ -277,22 +261,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
     168,
     },

-/* Cipher 0C */
-    {
-     1,
-     SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
-     SSL3_CK_DH_DSS_DES_64_CBC_SHA,
-     SSL_kDHd,
-     SSL_aDH,
-     SSL_DES,
-     SSL_SHA1,
-     SSL_SSLV3,
-     SSL_NOT_DEFAULT | SSL_LOW,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     56,
-     56,
-     },
-
 /* Cipher 0D */
    {
     1,
@ -309,22 +277,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
     168,
     },

-/* Cipher 0F */
-    {
-     1,
-     SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
-     SSL3_CK_DH_RSA_DES_64_CBC_SHA,
-     SSL_kDHr,
-     SSL_aDH,
-     SSL_DES,
-     SSL_SHA1,
-     SSL_SSLV3,
-     SSL_NOT_DEFAULT | SSL_LOW,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     56,
-     56,
-     },
-
 /* Cipher 10 */
    {
     1,
@ -341,22 +293,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
     168,
     },

-/* Cipher 12 */
-    {
-     1,
-     SSL3_TXT_DHE_DSS_DES_64_CBC_SHA,
-     SSL3_CK_DHE_DSS_DES_64_CBC_SHA,
-     SSL_kDHE,
-     SSL_aDSS,
-     SSL_DES,
-     SSL_SHA1,
-     SSL_SSLV3,
-     SSL_NOT_DEFAULT | SSL_LOW,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     56,
-     56,
-     },
-
 /* Cipher 13 */
    {
     1,
@ -373,22 +309,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
     168,
     },

-/* Cipher 15 */
-    {
-     1,
-     SSL3_TXT_DHE_RSA_DES_64_CBC_SHA,
-     SSL3_CK_DHE_RSA_DES_64_CBC_SHA,
-     SSL_kDHE,
-     SSL_aRSA,
-     SSL_DES,
-     SSL_SHA1,
-     SSL_SSLV3,
-     SSL_NOT_DEFAULT | SSL_LOW,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     56,
-     56,
-     },
-
 /* Cipher 16 */
    {
     1,
@ -421,22 +341,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
     128,
     },

-/* Cipher 1A */
-    {
-     1,
-     SSL3_TXT_ADH_DES_64_CBC_SHA,
-     SSL3_CK_ADH_DES_64_CBC_SHA,
-     SSL_kDHE,
-     SSL_aNULL,
-     SSL_DES,
-     SSL_SHA1,
-     SSL_SSLV3,
-     SSL_NOT_DEFAULT | SSL_LOW,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     56,
-     56,
-     },
-
 /* Cipher 1B */
    {
     1,