From d804f86b88f8d45edd71f51713a56f8af9af4fed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bodo=20M=C3=B6ller?= Date: Tue, 15 Nov 2005 23:32:11 +0000 Subject: [PATCH] disable some invalid ciphersuites --- CHANGES | 15 +++++++++++++++ ssl/s2_lib.c | 2 +- ssl/s3_lib.c | 4 +++- ssl/tls1.h | 9 +++++---- 4 files changed, 24 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index 775b0ea52f..d5c02ee72b 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,21 @@ Changes between 0.9.8a and 0.9.9 [xx XXX xxxx] + *) Disable rogue ciphersuites: + + - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") + - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") + - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") + + The latter two were purportedly from + draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really + appear there. + + Other ciphersuites from draft-ietf-tls-56-bit-ciphersuites-01.txt + remain enabled for now, but are just as unofficial, and the ID + has long expired; these will probably disappear soon. + [Bodo Moeller] + *) Move code previously exiled into file crypto/ec/ec2_smpt.c to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP macro. diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c index 37f83cd891..a454cac9f1 100644 --- a/ssl/s2_lib.c +++ b/ssl/s2_lib.c @@ -178,7 +178,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={ SSL_ALL_STRENGTHS, }, /* RC4_64_WITH_MD5 */ -#if 1 +#if 0 { 1, SSL2_TXT_RC4_64_WITH_MD5, diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index f94c0d957d..5a3e41f2f8 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1213,7 +1213,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ #endif /* OPENSSL_NO_ECDH */ #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES - /* New TLS Export CipherSuites */ + /* New TLS Export CipherSuites from expired ID */ +#if 0 /* Cipher 60 */ { 1, @@ -1240,6 +1241,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, +#endif /* Cipher 62 */ { 1, diff --git a/ssl/tls1.h b/ssl/tls1.h index be15445384..112ef3a99f 100644 --- a/ssl/tls1.h +++ b/ssl/tls1.h @@ -97,12 +97,13 @@ extern "C" { #define TLS1_AD_USER_CANCELLED 90 #define TLS1_AD_NO_RENEGOTIATION 100 -/* Additional TLS ciphersuites from draft-ietf-tls-56-bit-ciphersuites-00.txt +/* Additional TLS ciphersuites from expired Internet Draft + * draft-ietf-tls-56-bit-ciphersuites-01.txt * (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see * s3_lib.c). We actually treat them like SSL 3.0 ciphers, which we probably - * shouldn't. */ -#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 0x03000060 -#define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 0x03000061 + * shouldn't. Note that the first two are actually not in the IDs. */ +#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 0x03000060 /* not in ID */ +#define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 0x03000061 /* not in ID */ #define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x03000062 #define TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x03000063 #define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA 0x03000064 -- GitLab