Remove support for fixed ECDH cipher suites - these is not widely supported

and more importantly they do not provide PFS (if you want to use ECDH, use ECDHE instead). With input from guenther@. ok deraadt@ guenther@
author: jsing <> 2016-10-19 16:38:40 +0000
committer: jsing <> 2016-10-19 16:38:40 +0000
commit: 8acc30923121ec4884a8cb19e75bd99889131e7f (patch)
tree: 69cebce9957786fdcd7943948cd528b764891fb2 /src/lib/libssl/ssl_ciph.c
parent: ac7c37977891b32e21ccb19829cc10dc20c3d5ca (diff)
download: openbsd-8acc30923121ec4884a8cb19e75bd99889131e7f.tar.gz
openbsd-8acc30923121ec4884a8cb19e75bd99889131e7f.tar.bz2
openbsd-8acc30923121ec4884a8cb19e75bd99889131e7f.zip
1 files changed, 2 insertions, 30 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 526d98e293..2bf73c6606 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.86 2016/04/28 16:39:45 jsing Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.87 2016/10/19 16:38:40 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -257,28 +257,14 @@ static const SSL_CIPHER cipher_aliases[] = {
                .name = SSL_TXT_DH,
                .algorithm_mkey = SSL_kDHE,
        },
-        {
-                .name = SSL_TXT_kECDHr,
-                .algorithm_mkey = SSL_kECDHr,
-        },
-        {
-                .name = SSL_TXT_kECDHe,
-                .algorithm_mkey = SSL_kECDHe,
-        },
-        {
-                .name = SSL_TXT_kECDH,
-                .algorithm_mkey = SSL_kECDHr|SSL_kECDHe,
-        },
        {
                .name = SSL_TXT_kEECDH,
                .algorithm_mkey = SSL_kECDHE,
        },
        {
                .name = SSL_TXT_ECDH,
-                .algorithm_mkey = SSL_kECDHr|SSL_kECDHe|SSL_kECDHE,
+                .algorithm_mkey = SSL_kECDHE,
        },
        {
                .name = SSL_TXT_kGOST,
                .algorithm_mkey = SSL_kGOST,
@@ -302,10 +288,6 @@ static const SSL_CIPHER cipher_aliases[] = {
                .algorithm_auth = SSL_aNULL,
        },
        {
-                .name = SSL_TXT_aECDH,
-                .algorithm_auth = SSL_aECDH,
-        },
-        {
                .name = SSL_TXT_aECDSA,
                .algorithm_auth = SSL_aECDSA,
        },
@@ -1455,7 +1437,6 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method,
        ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
        /* Move ciphers without forward secrecy to the end */
-        ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
        ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
        /* RC4 is sort of broken - move it to the end */
@@ -1597,12 +1578,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        case SSL_kDHE:
                kx = "DH";
                break;
-        case SSL_kECDHr:
-                kx = "ECDH/RSA";
-                break;
-        case SSL_kECDHe:
-                kx = "ECDH/ECDSA";
-                break;
        case SSL_kECDHE:
                kx = "ECDH";
                break;
@@ -1620,9 +1595,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        case SSL_aDSS:
                au = "DSS";
                break;
-        case SSL_aECDH:
-                au = "ECDH";
-                break;
        case SSL_aNULL:
                au = "None";
                break;
author	jsing <>	2016-10-19 16:38:40 +0000
committer	jsing <>	2016-10-19 16:38:40 +0000
commit	8acc30923121ec4884a8cb19e75bd99889131e7f (patch)
tree	69cebce9957786fdcd7943948cd528b764891fb2 /src/lib/libssl/ssl_ciph.c
parent	ac7c37977891b32e21ccb19829cc10dc20c3d5ca (diff)
download	openbsd-8acc30923121ec4884a8cb19e75bd99889131e7f.tar.gz openbsd-8acc30923121ec4884a8cb19e75bd99889131e7f.tar.bz2 openbsd-8acc30923121ec4884a8cb19e75bd99889131e7f.zip