diff options
| author | slontis <shane.lontis@oracle.com> | 2021-09-22 15:53:54 +1000 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2021-09-23 14:17:33 +0200 |
| commit | c3b5fa4ab7d19e35311a21fec3ebc0a333c352b6 (patch) | |
| tree | 044e30adbacd5a1aaa0ab9712522f1276cb9b652 /ssl | |
| parent | eeb612021e220de734e1ff08499f42bb962c3916 (diff) | |
Change TLS RC4 cipher strength check to be data driven.
This is a same pattern as used in PR #16652
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16656)
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/s3_lib.c | 20 | ||||
| -rw-r--r-- | ssl/ssl_cert.c | 3 |
2 files changed, 10 insertions, 13 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 348d02d8bd..ef027d79e0 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -2807,7 +2807,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2823,7 +2823,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2839,7 +2839,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2855,7 +2855,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2871,7 +2871,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2887,7 +2887,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2903,7 +2903,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2919,7 +2919,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2935,7 +2935,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2951,7 +2951,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, #endif /* OPENSSL_NO_WEAK_SSL_CIPHERS */ diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 547e9b9ccd..a9e71046b3 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -1021,9 +1021,6 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, /* SHA1 HMAC is 160 bits of security */ if (minbits > 160 && c->algorithm_mac & SSL_SHA1) return 0; - /* Level 2: no RC4 */ - if (level >= 2 && c->algorithm_enc == SSL_RC4) - return 0; /* Level 3: forward secure ciphersuites only */ if (level >= 3 && c->min_tls != TLS1_3_VERSION && !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))) |