From cd126e741290f084546caeabdc425a5878244043 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sat, 2 Jun 2018 16:29:01 +0000
Subject: Remove the three remaining single DES cipher suites.

These are insecure and should not be used - furthermore, we would should
not have been allowing their negotiation with TLSv1.2 (as noted by Robert
Merget, Juraj Somorovsky and Simon Friedberger). Removing these cipher
suites also fixes this issue.

ok beck@ inoguchi@
---
 src/lib/libssl/s3_lib.c | 50 +------------------------------------------------
 1 file changed, 1 insertion(+), 49 deletions(-)

(limited to 'src')

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index aa430ee971..b3162ff657 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.166 2018/04/07 16:55:13 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.167 2018/06/02 16:29:01 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -237,22 +237,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 128,
 	},
 
-	/* Cipher 09 */
-	{
-		.valid = 1,
-		.name = SSL3_TXT_RSA_DES_64_CBC_SHA,
-		.id = SSL3_CK_RSA_DES_64_CBC_SHA,
-		.algorithm_mkey = SSL_kRSA,
-		.algorithm_auth = SSL_aRSA,
-		.algorithm_enc = SSL_DES,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_SSLV3,
-		.algo_strength = SSL_LOW,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 56,
-		.alg_bits = 56,
-	},
-
 	/* Cipher 0A */
 	{
 		.valid = 1,
@@ -273,22 +257,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 	 * Ephemeral DH (DHE) ciphers.
 	 */
 
-	/* Cipher 15 */
-	{
-		.valid = 1,
-		.name = SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
-		.id = SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aRSA,
-		.algorithm_enc = SSL_DES,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_SSLV3,
-		.algo_strength = SSL_LOW,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 56,
-		.alg_bits = 56,
-	},
-
 	/* Cipher 16 */
 	{
 		.valid = 1,
@@ -321,22 +289,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 128,
 	},
 
-	/* Cipher 1A */
-	{
-		.valid = 1,
-		.name = SSL3_TXT_ADH_DES_64_CBC_SHA,
-		.id = SSL3_CK_ADH_DES_64_CBC_SHA,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aNULL,
-		.algorithm_enc = SSL_DES,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_SSLV3,
-		.algo_strength = SSL_LOW,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 56,
-		.alg_bits = 56,
-	},
-
 	/* Cipher 1B */
 	{
 		.valid = 1,
-- 
cgit v1.2.3-55-g6feb