From b4f6cd46eb1b5a98573e0c0e619dc71646affdc8 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 7 Mar 2014 13:02:03 +0100 Subject: [PATCH] nss: do not enable AES cipher-suites by default ... but allow them to be enabled/disabled explicitly. The default policy should be maintained at the NSS level. --- lib/vtls/nss.c | 27 ++++----------------------- 1 file changed, 4 insertions(+), 23 deletions(-) diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 8e8a41ec07..e22b09841b 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -123,6 +123,10 @@ static const cipher_s cipherlist[] = { {"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA}, {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA}, /* AES ciphers. */ + {"dhe_dss_aes_128_cbc_sha", TLS_DHE_DSS_WITH_AES_128_CBC_SHA}, + {"dhe_dss_aes_256_cbc_sha", TLS_DHE_DSS_WITH_AES_256_CBC_SHA}, + {"dhe_rsa_aes_128_cbc_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA}, + {"dhe_rsa_aes_256_cbc_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA}, {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA}, {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA}, /* ECC ciphers. */ @@ -153,18 +157,6 @@ static const cipher_s cipherlist[] = { {"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA}, }; -/* following ciphers are new in NSS 3.4 and not enabled by default, therefore - they are enabled explicitly */ -static const int enable_ciphers_by_default[] = { - TLS_DHE_DSS_WITH_AES_128_CBC_SHA, - TLS_DHE_DSS_WITH_AES_256_CBC_SHA, - TLS_DHE_RSA_WITH_AES_128_CBC_SHA, - TLS_DHE_RSA_WITH_AES_256_CBC_SHA, - TLS_RSA_WITH_AES_128_CBC_SHA, - TLS_RSA_WITH_AES_256_CBC_SHA, - SSL_NULL_WITH_NULL_NULL -}; - static const char* pem_library = "libnsspem.so"; SECMODModule* mod = NULL; @@ -1294,7 +1286,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; CURLcode curlerr; - const int *cipher_to_enable; PRSocketOptionData sock_opt; long time_left; PRUint32 timeout; @@ -1396,16 +1387,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) /* reset the flag to avoid an infinite loop */ data->state.ssl_connect_retry = FALSE; - /* enable all ciphers from enable_ciphers_by_default */ - cipher_to_enable = enable_ciphers_by_default; - while(SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) { - if(SSL_CipherPrefSet(model, *cipher_to_enable, PR_TRUE) != SECSuccess) { - curlerr = CURLE_SSL_CIPHER; - goto error; - } - cipher_to_enable++; - } - if(data->set.ssl.cipher_list) { if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) { curlerr = CURLE_SSL_CIPHER;