Commit 1c735804 authored by Viktor Dukhovni's avatar Viktor Dukhovni
Browse files

Really disable 56-bit (single-DES) ciphers 



Reviewed-by: default avatarKurt Roeckx <kurt@openssl.org>
parent 361a1191

doc/apps/ciphers.pod

+3 −14
Original line number Diff line number Diff line
@@ -165,8 +165,9 @@ encryption. 


=item B<LOW>



"low" encryption cipher suites, currently those using 64 or 56 bit encryption

algorithms but excluding export cipher suites.

"low" encryption cipher suites, currently those using 64 or 56 bit

encryption algorithms but excluding export cipher suites.  All these

ciphersuites have been removed as of OpenSSL 1.1.0.



=item B<eNULL>, B<NULL>
@@ -378,20 +379,14 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. 
 SSL_RSA_WITH_RC4_128_MD5                RC4-MD5

 SSL_RSA_WITH_RC4_128_SHA                RC4-SHA

 SSL_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA

 SSL_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA

 SSL_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA



 SSL_DH_DSS_WITH_DES_CBC_SHA             DH-DSS-DES-CBC-SHA

 SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA        DH-DSS-DES-CBC3-SHA

 SSL_DH_RSA_WITH_DES_CBC_SHA             DH-RSA-DES-CBC-SHA

 SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA        DH-RSA-DES-CBC3-SHA

 SSL_DHE_DSS_WITH_DES_CBC_SHA            DHE-DSS-CBC-SHA

 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA       DHE-DSS-DES-CBC3-SHA

 SSL_DHE_RSA_WITH_DES_CBC_SHA            DHE-RSA-DES-CBC-SHA

 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA       DHE-RSA-DES-CBC3-SHA



 SSL_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5

 SSL_DH_anon_WITH_DES_CBC_SHA            ADH-DES-CBC-SHA

 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA



 SSL_FORTEZZA_KEA_WITH_NULL_SHA          Not implemented.
@@ -405,20 +400,14 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. 
 TLS_RSA_WITH_RC4_128_MD5                RC4-MD5

 TLS_RSA_WITH_RC4_128_SHA                RC4-SHA

 TLS_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA

 TLS_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA

 TLS_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA



 TLS_DH_DSS_WITH_DES_CBC_SHA             Not implemented.

 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA        Not implemented.

 TLS_DH_RSA_WITH_DES_CBC_SHA             Not implemented.

 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA        Not implemented.

 TLS_DHE_DSS_WITH_DES_CBC_SHA            DHE-DSS-CBC-SHA

 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA       DHE-DSS-DES-CBC3-SHA

 TLS_DHE_RSA_WITH_DES_CBC_SHA            DHE-RSA-DES-CBC-SHA

 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       DHE-RSA-DES-CBC3-SHA



 TLS_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5

 TLS_DH_anon_WITH_DES_CBC_SHA            ADH-DES-CBC-SHA

 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA



=head2 AES ciphersuites from RFC3268, extending TLS v1.0

ssl/s3_lib.c

+0 −96
Original line number Diff line number Diff line
@@ -245,22 +245,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 
     },

#endif



/* Cipher 09 */

    {

     1,

     SSL3_TXT_RSA_DES_64_CBC_SHA,

     SSL3_CK_RSA_DES_64_CBC_SHA,

     SSL_kRSA,

     SSL_aRSA,

     SSL_DES,

     SSL_SHA1,

     SSL_SSLV3,

     SSL_NOT_DEFAULT | SSL_LOW,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     56,

     56,

     },



/* Cipher 0A */

    {

     1,
@@ -277,22 +261,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 
     168,

     },



/* Cipher 0C */

    {

     1,

     SSL3_TXT_DH_DSS_DES_64_CBC_SHA,

     SSL3_CK_DH_DSS_DES_64_CBC_SHA,

     SSL_kDHd,

     SSL_aDH,

     SSL_DES,

     SSL_SHA1,

     SSL_SSLV3,

     SSL_NOT_DEFAULT | SSL_LOW,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     56,

     56,

     },



/* Cipher 0D */

    {

     1,
@@ -309,22 +277,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 
     168,

     },



/* Cipher 0F */

    {

     1,

     SSL3_TXT_DH_RSA_DES_64_CBC_SHA,

     SSL3_CK_DH_RSA_DES_64_CBC_SHA,

     SSL_kDHr,

     SSL_aDH,

     SSL_DES,

     SSL_SHA1,

     SSL_SSLV3,

     SSL_NOT_DEFAULT | SSL_LOW,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     56,

     56,

     },



/* Cipher 10 */

    {

     1,
@@ -341,22 +293,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 
     168,

     },



/* Cipher 12 */

    {

     1,

     SSL3_TXT_DHE_DSS_DES_64_CBC_SHA,

     SSL3_CK_DHE_DSS_DES_64_CBC_SHA,

     SSL_kDHE,

     SSL_aDSS,

     SSL_DES,

     SSL_SHA1,

     SSL_SSLV3,

     SSL_NOT_DEFAULT | SSL_LOW,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     56,

     56,

     },



/* Cipher 13 */

    {

     1,
@@ -373,22 +309,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 
     168,

     },



/* Cipher 15 */

    {

     1,

     SSL3_TXT_DHE_RSA_DES_64_CBC_SHA,

     SSL3_CK_DHE_RSA_DES_64_CBC_SHA,

     SSL_kDHE,

     SSL_aRSA,

     SSL_DES,

     SSL_SHA1,

     SSL_SSLV3,

     SSL_NOT_DEFAULT | SSL_LOW,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     56,

     56,

     },



/* Cipher 16 */

    {

     1,
@@ -421,22 +341,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 
     128,

     },



/* Cipher 1A */

    {

     1,

     SSL3_TXT_ADH_DES_64_CBC_SHA,

     SSL3_CK_ADH_DES_64_CBC_SHA,

     SSL_kDHE,

     SSL_aNULL,

     SSL_DES,

     SSL_SHA1,

     SSL_SSLV3,

     SSL_NOT_DEFAULT | SSL_LOW,

     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,

     56,

     56,

     },



/* Cipher 1B */

    {

     1,