diff options
| author | jsing <> | 2018-06-02 16:29:01 +0000 |
|---|---|---|
| committer | jsing <> | 2018-06-02 16:29:01 +0000 |
| commit | cd126e741290f084546caeabdc425a5878244043 (patch) | |
| tree | 03105b3a30a1d556ff0c365a3888a4253c057c0f /src | |
| parent | be2eb562a3b6b24f6f7bf2a5fe7b2fbce5209289 (diff) | |
| download | openbsd-cd126e741290f084546caeabdc425a5878244043.tar.gz openbsd-cd126e741290f084546caeabdc425a5878244043.tar.bz2 openbsd-cd126e741290f084546caeabdc425a5878244043.zip | |
Remove the three remaining single DES cipher suites.
These are insecure and should not be used - furthermore, we would should
not have been allowing their negotiation with TLSv1.2 (as noted by Robert
Merget, Juraj Somorovsky and Simon Friedberger). Removing these cipher
suites also fixes this issue.
ok beck@ inoguchi@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/s3_lib.c | 50 |
1 files changed, 1 insertions, 49 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index aa430ee971..b3162ff657 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_lib.c,v 1.166 2018/04/07 16:55:13 jsing Exp $ */ | 1 | /* $OpenBSD: s3_lib.c,v 1.167 2018/06/02 16:29:01 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -237,22 +237,6 @@ SSL_CIPHER ssl3_ciphers[] = { | |||
| 237 | .alg_bits = 128, | 237 | .alg_bits = 128, |
| 238 | }, | 238 | }, |
| 239 | 239 | ||
| 240 | /* Cipher 09 */ | ||
| 241 | { | ||
| 242 | .valid = 1, | ||
| 243 | .name = SSL3_TXT_RSA_DES_64_CBC_SHA, | ||
| 244 | .id = SSL3_CK_RSA_DES_64_CBC_SHA, | ||
| 245 | .algorithm_mkey = SSL_kRSA, | ||
| 246 | .algorithm_auth = SSL_aRSA, | ||
| 247 | .algorithm_enc = SSL_DES, | ||
| 248 | .algorithm_mac = SSL_SHA1, | ||
| 249 | .algorithm_ssl = SSL_SSLV3, | ||
| 250 | .algo_strength = SSL_LOW, | ||
| 251 | .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, | ||
| 252 | .strength_bits = 56, | ||
| 253 | .alg_bits = 56, | ||
| 254 | }, | ||
| 255 | |||
| 256 | /* Cipher 0A */ | 240 | /* Cipher 0A */ |
| 257 | { | 241 | { |
| 258 | .valid = 1, | 242 | .valid = 1, |
| @@ -273,22 +257,6 @@ SSL_CIPHER ssl3_ciphers[] = { | |||
| 273 | * Ephemeral DH (DHE) ciphers. | 257 | * Ephemeral DH (DHE) ciphers. |
| 274 | */ | 258 | */ |
| 275 | 259 | ||
| 276 | /* Cipher 15 */ | ||
| 277 | { | ||
| 278 | .valid = 1, | ||
| 279 | .name = SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, | ||
| 280 | .id = SSL3_CK_EDH_RSA_DES_64_CBC_SHA, | ||
| 281 | .algorithm_mkey = SSL_kDHE, | ||
| 282 | .algorithm_auth = SSL_aRSA, | ||
| 283 | .algorithm_enc = SSL_DES, | ||
| 284 | .algorithm_mac = SSL_SHA1, | ||
| 285 | .algorithm_ssl = SSL_SSLV3, | ||
| 286 | .algo_strength = SSL_LOW, | ||
| 287 | .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, | ||
| 288 | .strength_bits = 56, | ||
| 289 | .alg_bits = 56, | ||
| 290 | }, | ||
| 291 | |||
| 292 | /* Cipher 16 */ | 260 | /* Cipher 16 */ |
| 293 | { | 261 | { |
| 294 | .valid = 1, | 262 | .valid = 1, |
| @@ -321,22 +289,6 @@ SSL_CIPHER ssl3_ciphers[] = { | |||
| 321 | .alg_bits = 128, | 289 | .alg_bits = 128, |
| 322 | }, | 290 | }, |
| 323 | 291 | ||
| 324 | /* Cipher 1A */ | ||
| 325 | { | ||
| 326 | .valid = 1, | ||
| 327 | .name = SSL3_TXT_ADH_DES_64_CBC_SHA, | ||
| 328 | .id = SSL3_CK_ADH_DES_64_CBC_SHA, | ||
| 329 | .algorithm_mkey = SSL_kDHE, | ||
| 330 | .algorithm_auth = SSL_aNULL, | ||
| 331 | .algorithm_enc = SSL_DES, | ||
| 332 | .algorithm_mac = SSL_SHA1, | ||
| 333 | .algorithm_ssl = SSL_SSLV3, | ||
| 334 | .algo_strength = SSL_LOW, | ||
| 335 | .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, | ||
| 336 | .strength_bits = 56, | ||
| 337 | .alg_bits = 56, | ||
| 338 | }, | ||
| 339 | |||
| 340 | /* Cipher 1B */ | 292 | /* Cipher 1B */ |
| 341 | { | 293 | { |
| 342 | .valid = 1, | 294 | .valid = 1, |