disable some invalid ciphersuites

3 files changed, 9 insertions, 6 deletions

diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c
index 37f83cd891..a454cac9f1 100644
--- a/ssl/s2_lib.c
+++ b/ssl/s2_lib.c
@@ -178,7 +178,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
 	SSL_ALL_STRENGTHS,
 	},
 /* RC4_64_WITH_MD5 */
-#if 1
+#if 0
 	{
 	1,
 	SSL2_TXT_RC4_64_WITH_MD5,
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index f94c0d957d..5a3e41f2f8 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1213,7 +1213,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 #endif	/* OPENSSL_NO_ECDH */
 
 #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
-	/* New TLS Export CipherSuites */
+	/* New TLS Export CipherSuites from expired ID */
+#if 0
 	/* Cipher 60 */
 	    {
 	    1,
@@ -1240,6 +1241,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	    SSL_ALL_CIPHERS,
 	    SSL_ALL_STRENGTHS,
 	    },
+#endif
 	/* Cipher 62 */
 	    {
 	    1,
diff --git a/ssl/tls1.h b/ssl/tls1.h
index be15445384..112ef3a99f 100644
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -97,12 +97,13 @@ extern "C" {
 #define TLS1_AD_USER_CANCELLED		90
 #define TLS1_AD_NO_RENEGOTIATION	100
 
-/* Additional TLS ciphersuites from draft-ietf-tls-56-bit-ciphersuites-00.txt
+/* Additional TLS ciphersuites from expired Internet Draft
+ * draft-ietf-tls-56-bit-ciphersuites-01.txt
  * (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see
  * s3_lib.c).  We actually treat them like SSL 3.0 ciphers, which we probably
- * shouldn't. */
-#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5		0x03000060
-#define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5	0x03000061
+ * shouldn't.  Note that the first two are actually not in the IDs. */
+#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5		0x03000060 /* not in ID */
+#define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5	0x03000061 /* not in ID */
 #define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA		0x03000062
 #define TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA	0x03000063
 #define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA		0x03000064