diff options
| author | Todd Short <tshort@akamai.com> | 2017-04-11 09:02:05 -0400 |
|---|---|---|
| committer | Rich Salz <rsalz@openssl.org> | 2017-04-11 13:25:19 -0400 |
| commit | fe55c4a20f79c77c64a082c5df2c5e8a61317162 (patch) | |
| tree | 6e9ca61911249bce6f52a46d911148ccf8e36f72 | |
| parent | cbbe9186f3d625f98aecb3f4dd4aaf457066b25c (diff) | |
| download | openssl-fe55c4a20f79c77c64a082c5df2c5e8a61317162.tar.gz | |
Remove ECDH(E) ciphers from SSLv3
SSLv3 does not support TLS extensions, and thus, cannot provide any
curves for ECDH(E). With the removal of the default (all) list of curves
being used for connections that didn't provide any curves, ECDHE is no
longer possible.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3181)
| -rw-r--r-- | ssl/s3_lib.c | 40 |
1 files changed, 20 insertions, 20 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 54c49ab762..289dc51cb2 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -931,7 +931,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_eNULL, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -947,7 +947,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_3DES, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -963,7 +963,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_AES128, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -978,7 +978,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_AES256, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -993,7 +993,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_eNULL, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1009,7 +1009,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_3DES, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1025,7 +1025,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1040,7 +1040,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1055,7 +1055,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_eNULL, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1071,7 +1071,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_3DES, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1087,7 +1087,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_AES128, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1102,7 +1102,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_AES256, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1698,7 +1698,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_3DES, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1714,7 +1714,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES128, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1729,7 +1729,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES256, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1774,7 +1774,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_eNULL, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -2701,7 +2701,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_RC4, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -2716,7 +2716,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_RC4, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -2731,7 +2731,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_RC4, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -2746,7 +2746,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_RC4, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, |