Commit 595487ea authored by Matt Caswell's avatar Matt Caswell
Browse files

Remove export static DH ciphersuites 



Remove support for the two export grade static DH ciphersuites. These two
ciphersuites were newly added (along with a number of other static DH
ciphersuites) to 1.0.2. However the two export ones have *never* worked
since they were introduced. It seems strange in any case to be adding new
export ciphersuites, and given "logjam" it also does not seem correct to
fix them.

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
(cherry picked from commit 13f8eb47)

Conflicts:
	CHANGES
parent c6eb1cbd

CHANGES

+8 −0
Original line number Diff line number Diff line
@@ -4,6 +4,14 @@ 


 Changes between 1.0.2a and 1.0.2b [xx XXX xxxx]



  *) Removed support for the two export grade static DH ciphersuites

     EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites

     were newly added (along with a number of other static DH ciphersuites) to

     1.0.2. However the two export ones have *never* worked since they were

     introduced. It seems strange in any case to be adding new export

     ciphersuites, and given "logjam" it also does not seem correct to fix them.

     [Matt Caswell]



  *) Only support 256-bit or stronger elliptic curves with the

     'ecdh_auto' setting (server) or by default (client). Of supported

     curves, prefer P-256 (both).

doc/apps/ciphers.pod

+0 −2
Original line number Diff line number Diff line
@@ -365,10 +365,8 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. 
 SSL_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA

 SSL_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA



 SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA    EXP-DH-DSS-DES-CBC-SHA

 SSL_DH_DSS_WITH_DES_CBC_SHA             DH-DSS-DES-CBC-SHA

 SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA        DH-DSS-DES-CBC3-SHA

 SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA    EXP-DH-RSA-DES-CBC-SHA

 SSL_DH_RSA_WITH_DES_CBC_SHA             DH-RSA-DES-CBC-SHA

 SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA        DH-RSA-DES-CBC3-SHA

 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-DSS-DES-CBC-SHA

ssl/s3_lib.c

+2 −2
Original line number Diff line number Diff line
@@ -330,7 +330,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 
/* The DH ciphers */

/* Cipher 0B */

    {

     1,

     0,

     SSL3_TXT_DH_DSS_DES_40_CBC_SHA,

     SSL3_CK_DH_DSS_DES_40_CBC_SHA,

     SSL_kDHd,
@@ -378,7 +378,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 


/* Cipher 0E */

    {

     1,

     0,

     SSL3_TXT_DH_RSA_DES_40_CBC_SHA,

     SSL3_CK_DH_RSA_DES_40_CBC_SHA,

     SSL_kDHr,