generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Really disable 56-bit (single-DES) ciphers

Browse Source 
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
This commit is contained in:
Viktor Dukhovni 2015-12-06 00:35:06 -05:00
parent 361a119127
commit 1c735804a2
2 changed files with 3 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
doc/apps/ciphers.pod
View File

@ -165,8 +165,9 @@ encryption.
=item B<LOW> =item B<LOW>
"low" encryption cipher suites, currently those using 64 or 56 bit encryption "low" encryption cipher suites, currently those using 64 or 56 bit
algorithms but excluding export cipher suites. encryption algorithms but excluding export cipher suites. All these
ciphersuites have been removed as of OpenSSL 1.1.0.
=item B<eNULL>, B<NULL> =item B<eNULL>, B<NULL>
@ -378,20 +379,14 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
SSL_RSA_WITH_RC4_128_MD5 RC4-MD5 SSL_RSA_WITH_RC4_128_MD5 RC4-MD5
SSL_RSA_WITH_RC4_128_SHA RC4-SHA SSL_RSA_WITH_RC4_128_SHA RC4-SHA
SSL_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA SSL_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA
SSL_RSA_WITH_DES_CBC_SHA DES-CBC-SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA
SSL_DH_DSS_WITH_DES_CBC_SHA DH-DSS-DES-CBC-SHA
SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA DH-DSS-DES-CBC3-SHA SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA DH-DSS-DES-CBC3-SHA
SSL_DH_RSA_WITH_DES_CBC_SHA DH-RSA-DES-CBC-SHA
SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA DH-RSA-DES-CBC3-SHA SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA DH-RSA-DES-CBC3-SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA DHE-DSS-CBC-SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE-DSS-DES-CBC3-SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE-DSS-DES-CBC3-SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA DHE-RSA-DES-CBC-SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE-RSA-DES-CBC3-SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE-RSA-DES-CBC3-SHA
SSL_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 SSL_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5
SSL_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA
SSL_FORTEZZA_KEA_WITH_NULL_SHA Not implemented. SSL_FORTEZZA_KEA_WITH_NULL_SHA Not implemented.
@ -405,20 +400,14 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
TLS_RSA_WITH_RC4_128_MD5 RC4-MD5 TLS_RSA_WITH_RC4_128_MD5 RC4-MD5
TLS_RSA_WITH_RC4_128_SHA RC4-SHA TLS_RSA_WITH_RC4_128_SHA RC4-SHA
TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA
TLS_RSA_WITH_DES_CBC_SHA DES-CBC-SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA
TLS_DH_DSS_WITH_DES_CBC_SHA Not implemented.
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented.
TLS_DH_RSA_WITH_DES_CBC_SHA Not implemented.
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented. TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented.
TLS_DHE_DSS_WITH_DES_CBC_SHA DHE-DSS-CBC-SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE-DSS-DES-CBC3-SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE-DSS-DES-CBC3-SHA
TLS_DHE_RSA_WITH_DES_CBC_SHA DHE-RSA-DES-CBC-SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE-RSA-DES-CBC3-SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE-RSA-DES-CBC3-SHA
TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5
TLS_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA
=head2 AES ciphersuites from RFC3268, extending TLS v1.0 =head2 AES ciphersuites from RFC3268, extending TLS v1.0

96
ssl/s3_lib.c
View File

@ -245,22 +245,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
}, },
#endif #endif
/* Cipher 09 */
{
1,
SSL3_TXT_RSA_DES_64_CBC_SHA,
SSL3_CK_RSA_DES_64_CBC_SHA,
SSL_kRSA,
SSL_aRSA,
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
},
/* Cipher 0A */ /* Cipher 0A */
{ {
1, 1,
@ -277,22 +261,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
168, 168,
}, },
/* Cipher 0C */
{
1,
SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
SSL3_CK_DH_DSS_DES_64_CBC_SHA,
SSL_kDHd,
SSL_aDH,
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
},
/* Cipher 0D */ /* Cipher 0D */
{ {
1, 1,
@ -309,22 +277,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
168, 168,
}, },
/* Cipher 0F */
{
1,
SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
SSL3_CK_DH_RSA_DES_64_CBC_SHA,
SSL_kDHr,
SSL_aDH,
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
},
/* Cipher 10 */ /* Cipher 10 */
{ {
1, 1,
@ -341,22 +293,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
168, 168,
}, },
/* Cipher 12 */
{
1,
SSL3_TXT_DHE_DSS_DES_64_CBC_SHA,
SSL3_CK_DHE_DSS_DES_64_CBC_SHA,
SSL_kDHE,
SSL_aDSS,
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
},
/* Cipher 13 */ /* Cipher 13 */
{ {
1, 1,
@ -373,22 +309,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
168, 168,
}, },
/* Cipher 15 */
{
1,
SSL3_TXT_DHE_RSA_DES_64_CBC_SHA,
SSL3_CK_DHE_RSA_DES_64_CBC_SHA,
SSL_kDHE,
SSL_aRSA,
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
},
/* Cipher 16 */ /* Cipher 16 */
{ {
1, 1,
@ -421,22 +341,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
128, 128,
}, },
/* Cipher 1A */
{
1,
SSL3_TXT_ADH_DES_64_CBC_SHA,
SSL3_CK_ADH_DES_64_CBC_SHA,
SSL_kDHE,
SSL_aNULL,
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
},
/* Cipher 1B */ /* Cipher 1B */
{ {
1, 1,