diff options
| author | Rich Salz <rsalz@openssl.org> | 2015-02-27 15:06:41 -0500 |
|---|---|---|
| committer | Rich Salz <rsalz@openssl.org> | 2015-03-01 16:18:16 -0500 |
| commit | a258afaf7c0da143f15e1cf636279c7aaee7394f (patch) | |
| tree | db313e61051bc35182e978378067a8ca292685b2 /ssl | |
| parent | af674d4e20a82c2a98767b837072d7093c70b1cf (diff) | |
Remove experimental 56bit export ciphers
These ciphers are removed:
TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5
TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
TLS1_CK_DHE_DSS_WITH_RC4_128_SHA
They were defined in a long-expired IETF internet-draft:
draft-ietf-tls-56-bit-ciphersuites-01.txt
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/s3_lib.c | 82 | ||||
| -rw-r--r-- | ssl/tls1.h | 19 |
2 files changed, 0 insertions, 101 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index ab19eebaea..20ce112e5f 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1212,88 +1212,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { }, #endif /* OPENSSL_NO_CAMELLIA */ -#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES - /* Cipher 62 */ - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, - TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA, - SSL_kRSA, - SSL_aRSA, - SSL_DES, - SSL_SHA1, - SSL_TLSV1, - SSL_EXPORT | SSL_EXP56, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 56, - }, - - /* Cipher 63 */ - { - 1, - TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, - TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, - SSL_kDHE, - SSL_aDSS, - SSL_DES, - SSL_SHA1, - SSL_TLSV1, - SSL_EXPORT | SSL_EXP56, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 56, - }, - - /* Cipher 64 */ - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA, - TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA, - SSL_kRSA, - SSL_aRSA, - SSL_RC4, - SSL_SHA1, - SSL_TLSV1, - SSL_EXPORT | SSL_EXP56, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 128, - }, - - /* Cipher 65 */ - { - 1, - TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, - TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, - SSL_kDHE, - SSL_aDSS, - SSL_RC4, - SSL_SHA1, - SSL_TLSV1, - SSL_EXPORT | SSL_EXP56, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 128, - }, - - /* Cipher 66 */ - { - 1, - TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA, - TLS1_CK_DHE_DSS_WITH_RC4_128_SHA, - SSL_kDHE, - SSL_aDSS, - SSL_RC4, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, -#endif - /* TLS v1.2 ciphersuites */ /* Cipher 67 */ { diff --git a/ssl/tls1.h b/ssl/tls1.h index af03f13938..cb14d8e89f 100644 --- a/ssl/tls1.h +++ b/ssl/tls1.h @@ -162,8 +162,6 @@ extern "C" { # define OPENSSL_TLS_SECURITY_LEVEL 1 # endif -# define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0 - # define TLS1_VERSION 0x0301 # define TLS1_1_VERSION 0x0302 # define TLS1_2_VERSION 0x0303 @@ -411,23 +409,6 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) # define TLS1_CK_PSK_WITH_AES_128_CBC_SHA 0x0300008C # define TLS1_CK_PSK_WITH_AES_256_CBC_SHA 0x0300008D -/* - * Additional TLS ciphersuites from expired Internet Draft - * draft-ietf-tls-56-bit-ciphersuites-01.txt (available if - * TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see s3_lib.c). We - * actually treat them like SSL 3.0 ciphers, which we probably shouldn't. - * Note that the first two are actually not in the IDs. - */ -# define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 0x03000060/* not in - * ID */ -# define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 0x03000061/* not in - * ID */ -# define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x03000062 -# define TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x03000063 -# define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA 0x03000064 -# define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x03000065 -# define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA 0x03000066 - /* AES ciphersuites from RFC3268 */ # define TLS1_CK_RSA_WITH_AES_128_SHA 0x0300002F |