summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--CHANGES5
-rw-r--r--ssl/s3_lib.c22
2 files changed, 14 insertions, 13 deletions
diff --git a/CHANGES b/CHANGES
index fb4e7a53db..78a5a4d51c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,8 +4,9 @@
Changes between 1.0.2h and 1.1.0 [xx XXX xxxx]
- *) Because of the SWEET32 attack, 3DES cipher suites have been disabled by
- default like RC4. See the RC4 item below to re-enable both.
+ *) To mitigate the SWEET32 attack (CVE-2016-2183), 3DES cipher suites
+ have been disabled by default and removed from DEFAULT, just like RC4.
+ See the RC4 item below to re-enable both.
[Rich Salz]
*) The method for finding the storage location for the Windows RAND seed file
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 1baf9936ba..e94ee83717 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -57,7 +57,7 @@
#define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers)
/*
- * The list of available ciphers, organized into the following
+ * The list of available ciphers, mostly organized into the following
* groups:
* Always there
* EC
@@ -108,7 +108,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
- SSL_MEDIUM | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -138,7 +138,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
- SSL_MEDIUM | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -862,7 +862,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
- SSL_MEDIUM | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -924,7 +924,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
- SSL_MEDIUM | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -1201,7 +1201,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
- SSL_MEDIUM | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -1248,7 +1248,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
- SSL_MEDIUM | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -1295,7 +1295,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
- SSL_MEDIUM | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -1613,7 +1613,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
- SSL_MEDIUM | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -1739,7 +1739,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
- SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -1754,7 +1754,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
- SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-16 21:40:53 +0000