diff options
author | Rich Salz <rsalz@openssl.org> | 2016-08-18 08:56:42 -0400 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-08-24 14:05:52 +0100 |
commit | ef28891bab7054667f2f6739f6d376c38b3ca1cc (patch) | |
tree | f0836691169fc07d0ee93b7bd15496a87b9b65c0 | |
parent | d33726b92e09605a088369d0e01c99d138c0524f (diff) |
Put DES into "not default" category.
Add CVE to CHANGES
Reviewed-by: Emilia Käsper <emilia@openssl.org>
-rw-r--r-- | CHANGES | 5 | ||||
-rw-r--r-- | ssl/s3_lib.c | 22 |
2 files changed, 14 insertions, 13 deletions
@@ -4,8 +4,9 @@ Changes between 1.0.2h and 1.1.0 [xx XXX xxxx] - *) Because of the SWEET32 attack, 3DES cipher suites have been disabled by - default like RC4. See the RC4 item below to re-enable both. + *) To mitigate the SWEET32 attack (CVE-2016-2183), 3DES cipher suites + have been disabled by default and removed from DEFAULT, just like RC4. + See the RC4 item below to re-enable both. [Rich Salz] *) The method for finding the storage location for the Windows RAND seed file diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 1baf9936ba..e94ee83717 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -57,7 +57,7 @@ #define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers) /* - * The list of available ciphers, organized into the following + * The list of available ciphers, mostly organized into the following * groups: * Always there * EC @@ -108,7 +108,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -138,7 +138,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -862,7 +862,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -924,7 +924,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1201,7 +1201,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1248,7 +1248,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1295,7 +1295,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1613,7 +1613,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1739,7 +1739,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1754,7 +1754,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, |