Disable SHA-2 ciphersuites in < TLS 1.2 connections.
(TLS 1.2 clients could end up negotiating these with an OpenSSL server with TLS 1.2 disabled, which is problematic.) Submitted by: Adam Langley
This commit is contained in:
Bodo Möller
parent
89bd25eb26
commit
4d936ace08
3
CHANGES
3
CHANGES
@ -4,6 +4,9 @@
|
|||||||
|
|
||||||
Changes between 1.0.1 and 1.0.1a [xx XXX xxxx]
|
Changes between 1.0.1 and 1.0.1a [xx XXX xxxx]
|
||||||
|
|
||||||
|
*) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
|
||||||
|
[Adam Langley]
|
||||||
|
|
||||||
*) Workarounds for some broken servers that "hang" if a client hello
|
*) Workarounds for some broken servers that "hang" if a client hello
|
||||||
record length exceeds 255 bytes.
|
record length exceeds 255 bytes.
|
||||||
|
|
||||||
|
|||||||
26
ssl/s3_lib.c
26
ssl/s3_lib.c
@ -1081,7 +1081,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL_aRSA,
|
SSL_aRSA,
|
||||||
SSL_eNULL,
|
SSL_eNULL,
|
||||||
SSL_SHA256,
|
SSL_SHA256,
|
||||||
SSL_SSLV3,
|
SSL_TLSV1_2,
|
||||||
SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
|
SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
|
||||||
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
0,
|
0,
|
||||||
@ -1097,7 +1097,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL_aRSA,
|
SSL_aRSA,
|
||||||
SSL_AES128,
|
SSL_AES128,
|
||||||
SSL_SHA256,
|
SSL_SHA256,
|
||||||
SSL_TLSV1,
|
SSL_TLSV1_2,
|
||||||
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
128,
|
128,
|
||||||
@ -1113,7 +1113,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL_aRSA,
|
SSL_aRSA,
|
||||||
SSL_AES256,
|
SSL_AES256,
|
||||||
SSL_SHA256,
|
SSL_SHA256,
|
||||||
SSL_TLSV1,
|
SSL_TLSV1_2,
|
||||||
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
256,
|
256,
|
||||||
@ -1129,7 +1129,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL_aDH,
|
SSL_aDH,
|
||||||
SSL_AES128,
|
SSL_AES128,
|
||||||
SSL_SHA256,
|
SSL_SHA256,
|
||||||
SSL_TLSV1,
|
SSL_TLSV1_2,
|
||||||
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
128,
|
128,
|
||||||
@ -1145,7 +1145,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL_aDH,
|
SSL_aDH,
|
||||||
SSL_AES128,
|
SSL_AES128,
|
||||||
SSL_SHA256,
|
SSL_SHA256,
|
||||||
SSL_TLSV1,
|
SSL_TLSV1_2,
|
||||||
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
128,
|
128,
|
||||||
@ -1161,7 +1161,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL_aDSS,
|
SSL_aDSS,
|
||||||
SSL_AES128,
|
SSL_AES128,
|
||||||
SSL_SHA256,
|
SSL_SHA256,
|
||||||
SSL_TLSV1,
|
SSL_TLSV1_2,
|
||||||
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
128,
|
128,
|
||||||
@ -1395,7 +1395,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL_aRSA,
|
SSL_aRSA,
|
||||||
SSL_AES128,
|
SSL_AES128,
|
||||||
SSL_SHA256,
|
SSL_SHA256,
|
||||||
SSL_TLSV1,
|
SSL_TLSV1_2,
|
||||||
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
128,
|
128,
|
||||||
@ -1411,7 +1411,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL_aDH,
|
SSL_aDH,
|
||||||
SSL_AES256,
|
SSL_AES256,
|
||||||
SSL_SHA256,
|
SSL_SHA256,
|
||||||
SSL_TLSV1,
|
SSL_TLSV1_2,
|
||||||
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
256,
|
256,
|
||||||
@ -1427,7 +1427,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL_aDH,
|
SSL_aDH,
|
||||||
SSL_AES256,
|
SSL_AES256,
|
||||||
SSL_SHA256,
|
SSL_SHA256,
|
||||||
SSL_TLSV1,
|
SSL_TLSV1_2,
|
||||||
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
256,
|
256,
|
||||||
@ -1443,7 +1443,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL_aDSS,
|
SSL_aDSS,
|
||||||
SSL_AES256,
|
SSL_AES256,
|
||||||
SSL_SHA256,
|
SSL_SHA256,
|
||||||
SSL_TLSV1,
|
SSL_TLSV1_2,
|
||||||
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
256,
|
256,
|
||||||
@ -1459,7 +1459,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL_aRSA,
|
SSL_aRSA,
|
||||||
SSL_AES256,
|
SSL_AES256,
|
||||||
SSL_SHA256,
|
SSL_SHA256,
|
||||||
SSL_TLSV1,
|
SSL_TLSV1_2,
|
||||||
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
256,
|
256,
|
||||||
@ -1475,7 +1475,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL_aNULL,
|
SSL_aNULL,
|
||||||
SSL_AES128,
|
SSL_AES128,
|
||||||
SSL_SHA256,
|
SSL_SHA256,
|
||||||
SSL_TLSV1,
|
SSL_TLSV1_2,
|
||||||
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
128,
|
128,
|
||||||
@ -1491,7 +1491,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
|
|||||||
SSL_aNULL,
|
SSL_aNULL,
|
||||||
SSL_AES256,
|
SSL_AES256,
|
||||||
SSL_SHA256,
|
SSL_SHA256,
|
||||||
SSL_TLSV1,
|
SSL_TLSV1_2,
|
||||||
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
256,
|
256,
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user