Commit 018e57c7 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Apply Lutz Behnke's 56 bit cipher patch with a few 

minor changes.

Docs haven't been added at this stage. They are probably
best included in the 'ciphers' program docs.
parent 3604a4d3

CHANGES

+9 −0
Original line number Diff line number Diff line
@@ -4,6 +4,15 @@ 


 Changes between 0.9.4 and 0.9.5  [xx XXX 1999]



  *) Apply Lutz Behnke's 56bit cipher patch. This should fix the problems with cipher

     ordering and the new EXPORT1024 ciphers. Only two minor changes have been

     made, the error reason codes have been altered and the @STRENGTH sorting

     behaviour changed so eNULL ciphers are also sorted (if present).



     One other addition: the "ciphers" program didn't check the return code

     of SSL_CTX_set_cipher_list().

     [Lutz Behnke <behnke@trustcenter.de>, minor changes by Steve Henson]



  *) Minor change to 'x509' utility. The -CAcreateserial option now uses 1

     for the first serial number and places 2 in the serial number file. This

     avoids problems when the root CA is created with serial number zero and

apps/ciphers.c

+6 −2
Original line number Diff line number Diff line
@@ -145,8 +145,12 @@ int MAIN(int argc, char **argv) 


	ctx=SSL_CTX_new(meth);

	if (ctx == NULL) goto err;

	if (ciphers != NULL)

		SSL_CTX_set_cipher_list(ctx,ciphers);

	if (ciphers != NULL) {

		if(!SSL_CTX_set_cipher_list(ctx,ciphers)) {

			BIO_printf(bio_err, "Error in cipher list\n");

			goto err;

		}

	}

	ssl=SSL_new(ctx);

	if (ssl == NULL) goto err;

ssl/s2_lib.c

+48 −9
Original line number Diff line number Diff line
@@ -75,9 +75,12 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={ 
	1,

	SSL2_TXT_NULL_WITH_MD5,

	SSL2_CK_NULL_WITH_MD5,

	SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_EXP40|SSL_SSLV2,

	SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_SSLV2,

	SSL_EXPORT|SSL_EXP40,

	0,

	0,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

#endif

/* RC4_128_EXPORT40_WITH_MD5 */
@@ -85,63 +88,91 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={ 
	1,

	SSL2_TXT_RC4_128_EXPORT40_WITH_MD5,

	SSL2_CK_RC4_128_EXPORT40_WITH_MD5,

	SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_EXP40|SSL_SSLV2,

	SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,

	SSL_EXPORT|SSL_EXP40,

	SSL2_CF_5_BYTE_ENC,

	40,

	128,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* RC4_128_WITH_MD5 */

	{

	1,

	SSL2_TXT_RC4_128_WITH_MD5,

	SSL2_CK_RC4_128_WITH_MD5,

	SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM,

	SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,

	SSL_NOT_EXP|SSL_MEDIUM,

	0,

	128,

	128,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* RC2_128_CBC_EXPORT40_WITH_MD5 */

	{

	1,

	SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5,

	SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5,

	SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_EXP40|SSL_SSLV2,

	SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2,

	SSL_EXPORT|SSL_EXP40,

	SSL2_CF_5_BYTE_ENC,

	40,

	128,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* RC2_128_CBC_WITH_MD5 */

	{

	1,

	SSL2_TXT_RC2_128_CBC_WITH_MD5,

	SSL2_CK_RC2_128_CBC_WITH_MD5,

	SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM,

	SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2,

	SSL_NOT_EXP|SSL_MEDIUM,

	0,

	128,

	128,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* IDEA_128_CBC_WITH_MD5 */

	{

	1,

	SSL2_TXT_IDEA_128_CBC_WITH_MD5,

	SSL2_CK_IDEA_128_CBC_WITH_MD5,

	SSL_kRSA|SSL_aRSA|SSL_IDEA|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM,

	SSL_kRSA|SSL_aRSA|SSL_IDEA|SSL_MD5|SSL_SSLV2,

	SSL_NOT_EXP|SSL_MEDIUM,

	0,

	128,

	128,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* DES_64_CBC_WITH_MD5 */

	{

	1,

	SSL2_TXT_DES_64_CBC_WITH_MD5,

	SSL2_CK_DES_64_CBC_WITH_MD5,

	SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_LOW,

	SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5|SSL_SSLV2,

	SSL_NOT_EXP|SSL_LOW,

	0,

	56,

	56,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* DES_192_EDE3_CBC_WITH_MD5 */

	{

	1,

	SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5,

	SSL2_CK_DES_192_EDE3_CBC_WITH_MD5,

	SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_HIGH,

	SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5|SSL_SSLV2,

	SSL_NOT_EXP|SSL_HIGH,

	0,

	168,

	168,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* RC4_64_WITH_MD5 */

#if 1
@@ -149,9 +180,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={ 
	1,

	SSL2_TXT_RC4_64_WITH_MD5,

	SSL2_CK_RC4_64_WITH_MD5,

	SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2|SSL_LOW,

	SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,

	SSL_NOT_EXP|SSL_LOW,

	SSL2_CF_8_BYTE_ENC,

	64,

	64,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

#endif

/* NULL SSLeay (testing) */
@@ -161,7 +196,11 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={ 
	SSL2_TXT_NULL,

	SSL2_CK_NULL,

	0,

	0,

	0,

	0,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

#endif

ssl/s3_clnt.c

+3 −3
Original line number Diff line number Diff line
@@ -1688,13 +1688,13 @@ static int ssl3_check_cert_and_algorithm(SSL *s) 
#endif

#endif



	if (SSL_IS_EXPORT(algs) && !has_bits(i,EVP_PKT_EXP))

	if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))

		{

#ifndef NO_RSA

		if (algs & SSL_kRSA)

			{

			if (rsa == NULL

			    || RSA_size(rsa) > SSL_EXPORT_PKEYLENGTH(algs))

			    || RSA_size(rsa) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))

				{

				SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);

				goto f_err;
@@ -1706,7 +1706,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s) 
			if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))

			    {

			    if (dh == NULL

				|| DH_size(dh) > SSL_EXPORT_PKEYLENGTH(algs))

				|| DH_size(dh) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))

				{

				SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);

				goto f_err;

ssl/s3_lib.c

+192 −44
Original line number Diff line number Diff line
@@ -75,18 +75,26 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	1,

	SSL3_TXT_RSA_NULL_MD5,

	SSL3_CK_RSA_NULL_MD5,

	SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3,

	SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3,

	SSL_NOT_EXP,

	0,

	0,

	0,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 02 */

	{

	1,

	SSL3_TXT_RSA_NULL_SHA,

	SSL3_CK_RSA_NULL_SHA,

	SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,

	SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,

	SSL_NOT_EXP,

	0,

	0,

	0,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},



/* anon DH */
@@ -95,45 +103,65 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	1,

	SSL3_TXT_ADH_RC4_40_MD5,

	SSL3_CK_ADH_RC4_40_MD5,

	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_EXP40|SSL_SSLV3,

	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,

	SSL_EXPORT|SSL_EXP40,

	0,

	40,

	128,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 18 */

	{

	1,

	SSL3_TXT_ADH_RC4_128_MD5,

	SSL3_CK_ADH_RC4_128_MD5,

	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3,

	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,

	SSL_NOT_EXP,

	0,

	128,

	128,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 19 */

	{

	1,

	SSL3_TXT_ADH_DES_40_CBC_SHA,

	SSL3_CK_ADH_DES_40_CBC_SHA,

	SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,

	SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3,

	SSL_EXPORT|SSL_EXP40,

	0,

	40,

	128,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 1A */

	{

	1,

	SSL3_TXT_ADH_DES_64_CBC_SHA,

	SSL3_CK_ADH_DES_64_CBC_SHA,

	SSL_kEDH |SSL_aNULL|SSL_DES  |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,

	SSL_kEDH |SSL_aNULL|SSL_DES  |SSL_SHA1|SSL_SSLV3,

	SSL_NOT_EXP,

	0,

	56,

	56,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 1B */

	{

	1,

	SSL3_TXT_ADH_DES_192_CBC_SHA,

	SSL3_CK_ADH_DES_192_CBC_SHA,

	SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,

	SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,

	SSL_NOT_EXP,

	0,

	168,

	168,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},



/* RSA again */
@@ -142,72 +170,104 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	1,

	SSL3_TXT_RSA_RC4_40_MD5,

	SSL3_CK_RSA_RC4_40_MD5,

	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_MD5 |SSL_EXP40|SSL_SSLV3,

	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_MD5 |SSL_SSLV3,

	SSL_EXPORT|SSL_EXP40,

	0,

	40,

	128,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 04 */

	{

	1,

	SSL3_TXT_RSA_RC4_128_MD5,

	SSL3_CK_RSA_RC4_128_MD5,

	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,

	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_MD5|SSL_SSLV3,

	SSL_NOT_EXP|SSL_MEDIUM,

	0,

	128,

	128,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 05 */

	{

	1,

	SSL3_TXT_RSA_RC4_128_SHA,

	SSL3_CK_RSA_RC4_128_SHA,

	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,

	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_SHA1|SSL_SSLV3,

	SSL_NOT_EXP|SSL_MEDIUM,

	0,

	128,

	128,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 06 */

	{

	1,

	SSL3_TXT_RSA_RC2_40_MD5,

	SSL3_CK_RSA_RC2_40_MD5,

	SSL_kRSA|SSL_aRSA|SSL_RC2  |SSL_MD5 |SSL_EXP40|SSL_SSLV3,

	SSL_kRSA|SSL_aRSA|SSL_RC2  |SSL_MD5 |SSL_SSLV3,

	SSL_EXPORT|SSL_EXP40,

	0,

	40,

	128,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 07 */

	{

	1,

	SSL3_TXT_RSA_IDEA_128_SHA,

	SSL3_CK_RSA_IDEA_128_SHA,

	SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,

	SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_SSLV3,

	SSL_NOT_EXP|SSL_MEDIUM,

	0,

	128,

	128,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 08 */

	{

	1,

	SSL3_TXT_RSA_DES_40_CBC_SHA,

	SSL3_CK_RSA_DES_40_CBC_SHA,

	SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,

	SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,

	SSL_EXPORT|SSL_EXP40,

	0,

	40,

	56,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 09 */

	{

	1,

	SSL3_TXT_RSA_DES_64_CBC_SHA,

	SSL3_CK_RSA_DES_64_CBC_SHA,

	SSL_kRSA|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,

	SSL_kRSA|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,

	SSL_NOT_EXP|SSL_LOW,

	0,

	56,

	56,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 0A */

	{

	1,

	SSL3_TXT_RSA_DES_192_CBC3_SHA,

	SSL3_CK_RSA_DES_192_CBC3_SHA,

	SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,

	SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,

	SSL_NOT_EXP|SSL_HIGH,

	0,

	168,

	168,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},



/*  The DH ciphers */
@@ -216,54 +276,78 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	0,

	SSL3_TXT_DH_DSS_DES_40_CBC_SHA,

	SSL3_CK_DH_DSS_DES_40_CBC_SHA,

	SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,

	SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,

	SSL_EXPORT|SSL_EXP40,

	0,

	40,

	56,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 0C */

	{

	0,

	SSL3_TXT_DH_DSS_DES_64_CBC_SHA,

	SSL3_CK_DH_DSS_DES_64_CBC_SHA,

	SSL_kDHd |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,

	SSL_kDHd |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,

	SSL_NOT_EXP|SSL_LOW,

	0,

	56,

	56,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 0D */

	{

	0,

	SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,

	SSL3_CK_DH_DSS_DES_192_CBC3_SHA,

	SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,

	SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,

	SSL_NOT_EXP|SSL_HIGH,

	0,

	168,

	168,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 0E */

	{

	0,

	SSL3_TXT_DH_RSA_DES_40_CBC_SHA,

	SSL3_CK_DH_RSA_DES_40_CBC_SHA,

	SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,

	SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,

	SSL_EXPORT|SSL_EXP40,

	0,

	40,

	56,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 0F */

	{

	0,

	SSL3_TXT_DH_RSA_DES_64_CBC_SHA,

	SSL3_CK_DH_RSA_DES_64_CBC_SHA,

	SSL_kDHr |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,

	SSL_kDHr |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,

	SSL_NOT_EXP|SSL_LOW,

	0,

	56,

	56,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 10 */

	{

	0,

	SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,

	SSL3_CK_DH_RSA_DES_192_CBC3_SHA,

	SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,

	SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,

	SSL_NOT_EXP|SSL_HIGH,

	0,

	168,

	168,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},



/* The Ephemeral DH ciphers */
@@ -272,54 +356,78 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	1,

	SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,

	SSL3_CK_EDH_DSS_DES_40_CBC_SHA,

	SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,

	SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3,

	SSL_EXPORT|SSL_EXP40,

	0,

	40,

	56,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 12 */

	{

	1,

	SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,

	SSL3_CK_EDH_DSS_DES_64_CBC_SHA,

	SSL_kEDH|SSL_aDSS|SSL_DES  |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,

	SSL_kEDH|SSL_aDSS|SSL_DES  |SSL_SHA1|SSL_SSLV3,

	SSL_NOT_EXP|SSL_LOW,

	0,

	56,

	56,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 13 */

	{

	1,

	SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,

	SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,

	SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,

	SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,

	SSL_NOT_EXP|SSL_HIGH,

	0,

	168,

	168,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 14 */

	{

	1,

	SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,

	SSL3_CK_EDH_RSA_DES_40_CBC_SHA,

	SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,

	SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,

	SSL_EXPORT|SSL_EXP40,

	0,

	40,

	56,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 15 */

	{

	1,

	SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,

	SSL3_CK_EDH_RSA_DES_64_CBC_SHA,

	SSL_kEDH|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,

	SSL_kEDH|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,

	SSL_NOT_EXP|SSL_LOW,

	0,

	56,

	56,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},

/* Cipher 16 */

	{

	1,

	SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,

	SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,

	SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,

	SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,

	SSL_NOT_EXP|SSL_HIGH,

	0,

	168,

	168,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},



/* Fortezza */
@@ -328,9 +436,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	0,

	SSL3_TXT_FZA_DMS_NULL_SHA,

	SSL3_CK_FZA_DMS_NULL_SHA,

	SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,

	SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3,

	SSL_NOT_EXP,

	0,

	0,

	0,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},



/* Cipher 1D */
@@ -338,9 +450,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	0,

	SSL3_TXT_FZA_DMS_FZA_SHA,

	SSL3_CK_FZA_DMS_FZA_SHA,

	SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,

	SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3,

	SSL_NOT_EXP,

	0,

	0,

	0,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},



/* Cipher 1E */
@@ -348,9 +464,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	0,

	SSL3_TXT_FZA_DMS_RC4_SHA,

	SSL3_CK_FZA_DMS_RC4_SHA,

	SSL_kFZA|SSL_aFZA |SSL_RC4  |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,

	SSL_kFZA|SSL_aFZA |SSL_RC4  |SSL_SHA1|SSL_SSLV3,

	SSL_NOT_EXP,

	0,

	128,

	128,

	SSL_ALL_CIPHERS,

	SSL_ALL_STRENGTHS,

	},



#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
@@ -360,54 +480,78 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	    1,

	    TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,

	    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,

	    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_EXP56|SSL_TLSV1,

	    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1,

	    SSL_EXPORT|SSL_EXP56,

	    0,

	    SSL_ALL_CIPHERS

	    56,

	    128,

	    SSL_ALL_CIPHERS,

	    SSL_ALL_STRENGTHS,

	    },

	/* Cipher 61 */

	    {

	    1,

	    TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,

	    TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,

	    SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_EXP56|SSL_TLSV1,

	    SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1,

	    SSL_EXPORT|SSL_EXP56,

	    0,

	    SSL_ALL_CIPHERS

	    56,

	    128,

	    SSL_ALL_CIPHERS,

	    SSL_ALL_STRENGTHS,

	    },

	/* Cipher 62 */

	    {

	    1,

	    TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,

	    TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,

	    SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_EXP56|SSL_TLSV1,

	    SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,

	    SSL_EXPORT|SSL_EXP56,

	    0,

	    SSL_ALL_CIPHERS

	    56,

	    56,

	    SSL_ALL_CIPHERS,

	    SSL_ALL_STRENGTHS,

	    },

	/* Cipher 63 */

	    {

	    1,

	    TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,

	    TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,

	    SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_EXP56|SSL_TLSV1,

	    SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1,

	    SSL_EXPORT|SSL_EXP56,

	    0,

	    SSL_ALL_CIPHERS

	    56,

	    56,

	    SSL_ALL_CIPHERS,

	    SSL_ALL_STRENGTHS,

	    },

	/* Cipher 64 */

	    {

	    1,

	    TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,

	    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,

	    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_EXP56|SSL_TLSV1,

	    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,

	    SSL_EXPORT|SSL_EXP56,

	    0,

	    SSL_ALL_CIPHERS

	    56,

	    128,

	    SSL_ALL_CIPHERS,

	    SSL_ALL_STRENGTHS,

	    },

	/* Cipher 65 */

	    {

	    1,

	    TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,

	    TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,

	    SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_EXP56|SSL_TLSV1,

	    SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,

	    SSL_EXPORT|SSL_EXP56,

	    0,

	    SSL_ALL_CIPHERS

	    56,

	    128,

	    SSL_ALL_CIPHERS,

	    SSL_ALL_STRENGTHS,

	    },

	/* Cipher 66 */

	    {
@@ -415,8 +559,12 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 
	    TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,

	    TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,

	    SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,

	    SSL_NOT_EXP,

	    0,

	    SSL_ALL_CIPHERS

	    128,

	    128,

	    SSL_ALL_CIPHERS,

	    SSL_ALL_STRENGTHS

	    },

#endif
@@ -897,7 +1045,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have, 
		emask=cert->export_mask;

			

		alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);

		if (SSL_IS_EXPORT(c->algorithms))

		if (SSL_C_IS_EXPORT(c))

			{

			ok=((alg & emask) == alg)?1:0;

#ifdef CIPHER_DEBUG