提交 d804f86b 编写于 作者: B Bodo Möller

disable some invalid ciphersuites

上级 8dee9f84
...@@ -4,6 +4,21 @@ ...@@ -4,6 +4,21 @@
Changes between 0.9.8a and 0.9.9 [xx XXX xxxx] Changes between 0.9.8a and 0.9.9 [xx XXX xxxx]
*) Disable rogue ciphersuites:
- SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
- SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
- SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
The latter two were purportedly from
draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
appear there.
Other ciphersuites from draft-ietf-tls-56-bit-ciphersuites-01.txt
remain enabled for now, but are just as unofficial, and the ID
has long expired; these will probably disappear soon.
[Bodo Moeller]
*) Move code previously exiled into file crypto/ec/ec2_smpt.c *) Move code previously exiled into file crypto/ec/ec2_smpt.c
to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP
macro. macro.
......
...@@ -178,7 +178,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={ ...@@ -178,7 +178,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
SSL_ALL_STRENGTHS, SSL_ALL_STRENGTHS,
}, },
/* RC4_64_WITH_MD5 */ /* RC4_64_WITH_MD5 */
#if 1 #if 0
{ {
1, 1,
SSL2_TXT_RC4_64_WITH_MD5, SSL2_TXT_RC4_64_WITH_MD5,
......
...@@ -1213,7 +1213,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ ...@@ -1213,7 +1213,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
#endif /* OPENSSL_NO_ECDH */ #endif /* OPENSSL_NO_ECDH */
#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
/* New TLS Export CipherSuites */ /* New TLS Export CipherSuites from expired ID */
#if 0
/* Cipher 60 */ /* Cipher 60 */
{ {
1, 1,
...@@ -1240,6 +1241,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ ...@@ -1240,6 +1241,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_CIPHERS, SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS, SSL_ALL_STRENGTHS,
}, },
#endif
/* Cipher 62 */ /* Cipher 62 */
{ {
1, 1,
......
...@@ -97,12 +97,13 @@ extern "C" { ...@@ -97,12 +97,13 @@ extern "C" {
#define TLS1_AD_USER_CANCELLED 90 #define TLS1_AD_USER_CANCELLED 90
#define TLS1_AD_NO_RENEGOTIATION 100 #define TLS1_AD_NO_RENEGOTIATION 100
/* Additional TLS ciphersuites from draft-ietf-tls-56-bit-ciphersuites-00.txt /* Additional TLS ciphersuites from expired Internet Draft
* draft-ietf-tls-56-bit-ciphersuites-01.txt
* (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see * (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see
* s3_lib.c). We actually treat them like SSL 3.0 ciphers, which we probably * s3_lib.c). We actually treat them like SSL 3.0 ciphers, which we probably
* shouldn't. */ * shouldn't. Note that the first two are actually not in the IDs. */
#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 0x03000060 #define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 0x03000060 /* not in ID */
#define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 0x03000061 #define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 0x03000061 /* not in ID */
#define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x03000062 #define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x03000062
#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x03000063 #define TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x03000063
#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA 0x03000064 #define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA 0x03000064
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册