mirror of
https://github.com/openssl/openssl.git
synced 2025-02-17 14:32:04 +08:00
To avoid SWEET32 attack, move 3DES to weak
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
This commit is contained in:
Rich Salz
Matt Caswell
parent
cfd20f64cc
commit
d33726b92e
4
CHANGES
4
CHANGES
@ -4,6 +4,10 @@
|
||||
|
||||
Changes between 1.0.2h and 1.1.0 [xx XXX xxxx]
|
||||
|
||||
*) Because of the SWEET32 attack, 3DES cipher suites have been disabled by
|
||||
default like RC4. See the RC4 item below to re-enable both.
|
||||
[Rich Salz]
|
||||
|
||||
*) The method for finding the storage location for the Windows RAND seed file
|
||||
has changed. First we check %RANDFILE%. If that is not set then we check
|
||||
the directories %HOME%, %USERPROFILE% and %SYSTEMROOT% in that order. If
|
||||
|
||||
18
ssl/s3_lib.c
18
ssl/s3_lib.c
@ -97,6 +97,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
0,
|
||||
0,
|
||||
},
|
||||
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_RSA_DES_192_CBC3_SHA,
|
||||
@ -157,6 +158,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
112,
|
||||
168,
|
||||
},
|
||||
#endif
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_RSA_WITH_AES_128_SHA,
|
||||
@ -849,6 +851,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
0,
|
||||
0,
|
||||
},
|
||||
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
|
||||
@ -864,6 +867,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
112,
|
||||
168,
|
||||
},
|
||||
# endif
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
||||
@ -909,6 +913,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
0,
|
||||
0,
|
||||
},
|
||||
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
|
||||
@ -924,6 +929,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
112,
|
||||
168,
|
||||
},
|
||||
# endif
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||
@ -969,6 +975,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
0,
|
||||
0,
|
||||
},
|
||||
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
|
||||
@ -984,6 +991,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
112,
|
||||
168,
|
||||
},
|
||||
# endif
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
|
||||
@ -1182,6 +1190,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
0,
|
||||
0,
|
||||
},
|
||||
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA,
|
||||
@ -1197,6 +1206,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
112,
|
||||
168,
|
||||
},
|
||||
# endif
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
|
||||
@ -1227,6 +1237,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
256,
|
||||
256,
|
||||
},
|
||||
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
|
||||
@ -1242,6 +1253,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
112,
|
||||
168,
|
||||
},
|
||||
# endif
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_DHE_PSK_WITH_AES_128_CBC_SHA,
|
||||
@ -1272,6 +1284,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
256,
|
||||
256,
|
||||
},
|
||||
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
|
||||
@ -1287,6 +1300,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
112,
|
||||
168,
|
||||
},
|
||||
# endif
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_RSA_PSK_WITH_AES_128_CBC_SHA,
|
||||
@ -1588,6 +1602,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
0,
|
||||
},
|
||||
# ifndef OPENSSL_NO_EC
|
||||
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
|
||||
@ -1603,6 +1618,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
112,
|
||||
168,
|
||||
},
|
||||
# endif
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
|
||||
@ -1712,6 +1728,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
#endif /* OPENSSL_NO_PSK */
|
||||
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
|
||||
@ -1757,6 +1774,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
112,
|
||||
168,
|
||||
},
|
||||
# endif
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_SRP_SHA_WITH_AES_128_CBC_SHA,
|
||||
|
||||
@ -104,16 +104,6 @@ static const uint32_t default_ciphers_in_order[] = {
|
||||
TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_DES
|
||||
# ifndef OPENSSL_NO_EC
|
||||
TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
|
||||
TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
|
||||
# endif
|
||||
# ifndef OPENSSL_NO_DH
|
||||
SSL3_CK_DHE_RSA_DES_192_CBC3_SHA,
|
||||
# endif
|
||||
#endif /* !OPENSSL_NO_DES */
|
||||
|
||||
#ifndef OPENSSL_NO_TLS1_2
|
||||
TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
|
||||
TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
|
||||
@ -123,9 +113,6 @@ static const uint32_t default_ciphers_in_order[] = {
|
||||
|
||||
TLS1_CK_RSA_WITH_AES_256_SHA,
|
||||
TLS1_CK_RSA_WITH_AES_128_SHA,
|
||||
#ifndef OPENSSL_NO_DES
|
||||
SSL3_CK_RSA_DES_192_CBC3_SHA,
|
||||
#endif
|
||||
};
|
||||
|
||||
static int test_default_cipherlist(SSL_CTX *ctx)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user