generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove experimental 56bit export ciphers

Browse Source 
These ciphers are removed:
    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5
    TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
    TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA
    TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA
    TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
    TLS1_CK_DHE_DSS_WITH_RC4_128_SHA
They were defined in a long-expired IETF internet-draft:
draft-ietf-tls-56-bit-ciphersuites-01.txt

Reviewed-by: Richard Levitte <levitte@openssl.org>
This commit is contained in:
Rich Salz 2015-02-27 15:06:41 -05:00
parent af674d4e20
commit a258afaf7c
2 changed files with 0 additions and 101 deletions

82
ssl/s3_lib.c

@ -1212,88 +1212,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
}, },
#endif /* OPENSSL_NO_CAMELLIA */ #endif /* OPENSSL_NO_CAMELLIA */
#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
/* Cipher 62 */
{
1,
TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
SSL_kRSA,
SSL_aRSA,
SSL_DES,
SSL_SHA1,
SSL_TLSV1,
SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
},
/* Cipher 63 */
{
1,
TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
SSL_kDHE,
SSL_aDSS,
SSL_DES,
SSL_SHA1,
SSL_TLSV1,
SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
},
/* Cipher 64 */
{
1,
TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
SSL_kRSA,
SSL_aRSA,
SSL_RC4,
SSL_SHA1,
SSL_TLSV1,
SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
128,
},
/* Cipher 65 */
{
1,
TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
SSL_kDHE,
SSL_aDSS,
SSL_RC4,
SSL_SHA1,
SSL_TLSV1,
SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
128,
},
/* Cipher 66 */
{
1,
TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
SSL_kDHE,
SSL_aDSS,
SSL_RC4,
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
#endif
/* TLS v1.2 ciphersuites */ /* TLS v1.2 ciphersuites */
/* Cipher 67 */ /* Cipher 67 */
{ {

19
ssl/tls1.h

@ -162,8 +162,6 @@ extern "C" {
# define OPENSSL_TLS_SECURITY_LEVEL 1 # define OPENSSL_TLS_SECURITY_LEVEL 1
# endif # endif
# define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0
# define TLS1_VERSION 0x0301 # define TLS1_VERSION 0x0301
# define TLS1_1_VERSION 0x0302 # define TLS1_1_VERSION 0x0302
# define TLS1_2_VERSION 0x0303 # define TLS1_2_VERSION 0x0303
@ -411,23 +409,6 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
# define TLS1_CK_PSK_WITH_AES_128_CBC_SHA 0x0300008C # define TLS1_CK_PSK_WITH_AES_128_CBC_SHA 0x0300008C
# define TLS1_CK_PSK_WITH_AES_256_CBC_SHA 0x0300008D # define TLS1_CK_PSK_WITH_AES_256_CBC_SHA 0x0300008D
/*
* Additional TLS ciphersuites from expired Internet Draft
* draft-ietf-tls-56-bit-ciphersuites-01.txt (available if
* TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see s3_lib.c). We
* actually treat them like SSL 3.0 ciphers, which we probably shouldn't.
* Note that the first two are actually not in the IDs.
*/
# define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 0x03000060/* not in
* ID */
# define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 0x03000061/* not in
* ID */
# define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x03000062
# define TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x03000063
# define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA 0x03000064
# define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x03000065
# define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA 0x03000066
/* AES ciphersuites from RFC3268 */ /* AES ciphersuites from RFC3268 */
# define TLS1_CK_RSA_WITH_AES_128_SHA 0x0300002F # define TLS1_CK_RSA_WITH_AES_128_SHA 0x0300002F