Change the DEFAULT ciphersuites to exclude DES, RC4 and RC2

This patch updates the "DEFAULT" cipherstring to be
"ALL:!COMPLEMENTOFDEFAULT:!eNULL". COMPLEMENTOFDEFAULT is now defined
internally by a flag on each ciphersuite indicating whether it should be
excluded from DEFAULT or not. This gives us control at an individual
ciphersuite level as to exactly what is in DEFAULT and what is not.

Finally all DES, RC4 and RC2 ciphersuites are added to COMPLEMENTOFDEFAULT
and hence removed from DEFAULT.

Reviewed-by: Tim Hudson <tjh@openssl.org>
This commit is contained in:
Matt Caswell 2015-09-29 11:14:35 +01:00
parent 8eed3289b2
commit c84f7f4a74
6 changed files with 98 additions and 72 deletions

View file

@ -4,6 +4,12 @@
Changes between 1.0.2 and 1.1.0 [xx XXX xxxx] Changes between 1.0.2 and 1.1.0 [xx XXX xxxx]
*) Removed DES and RC4 ciphersuites from DEFAULT. Also removed RC2 although
in 1.0.2 EXPORT was already removed and the only RC2 ciphersuite is also
an EXPORT one. COMPLEMENTOFDEFAULT has been updated accordingly to add
DES and RC4 ciphersuites.
[Matt Caswell]
*) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
This changes the decoding behaviour for some invalid messages, This changes the decoding behaviour for some invalid messages,
though the change is mostly in the more lenient direction, and though the change is mostly in the more lenient direction, and

View file

@ -117,15 +117,16 @@ The following is a list of all permitted cipher strings and their meanings.
=item B<DEFAULT> =item B<DEFAULT>
the default cipher list. This is determined at compile time and, as of OpenSSL the default cipher list. This is determined at compile time and
1.0.0, is normally B<ALL:!aNULL:!eNULL>. This must be the first cipher string is B<ALL:!COMPLEMENTOFDEFAULT:!eNULL>. This must be the first cipher
specified. string specified.
=item B<COMPLEMENTOFDEFAULT> =item B<COMPLEMENTOFDEFAULT>
the ciphers included in B<ALL>, but not enabled by default. Currently the ciphers included in B<ALL>, but not enabled by default. Currently
this is B<ADH> and B<AECDH>. Note that this rule does not cover B<eNULL>, this includes all RC4, DES, RC2 and anonymous ciphers. Note that this rule does
which is not included by B<ALL> (use B<COMPLEMENTOFALL> if necessary). not cover B<eNULL>, which is not included by B<ALL> (use B<COMPLEMENTOFALL> if
necessary).
=item B<ALL> =item B<ALL>

View file

@ -290,7 +290,7 @@ extern "C" {
* The following cipher list is used by default. It also is substituted when * The following cipher list is used by default. It also is substituted when
* an application-defined cipher list string starts with 'DEFAULT'. * an application-defined cipher list string starts with 'DEFAULT'.
*/ */
# define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL" # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
/* /*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is * starts with a reasonable order, and all we have to do for DEFAULT is

View file

@ -173,7 +173,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_STRONG_NONE, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0, 0,
0, 0,
@ -189,7 +189,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0, 0,
0, 0,
@ -205,7 +205,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
128, 128,
@ -221,7 +221,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -237,7 +237,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -253,7 +253,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC2, SSL_RC2,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
128, 128,
@ -287,7 +287,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
56, 56,
@ -303,7 +303,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -336,7 +336,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
56, 56,
@ -352,7 +352,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -384,7 +384,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
56, 56,
@ -400,7 +400,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -433,7 +433,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
56, 56,
@ -449,7 +449,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -481,7 +481,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
56, 56,
@ -497,7 +497,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -529,7 +529,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
128, 128,
@ -545,7 +545,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -561,7 +561,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
128, 128,
@ -577,7 +577,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -593,7 +593,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES, SSL_3DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112, 112,
168, 168,
@ -609,7 +609,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0, 0,
0, 0,
@ -624,7 +624,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0, 0,
0, 0,
@ -639,7 +639,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0, 0,
0, 0,
@ -732,7 +732,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128, SSL_AES128,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -827,7 +827,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256, SSL_AES256,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256, 256,
256, 256,
@ -844,7 +844,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_SHA256, SSL_SHA256,
SSL_TLSV1_2, SSL_TLSV1_2,
SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0, 0,
0, 0,
@ -1023,7 +1023,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128, SSL_CAMELLIA128,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -1121,7 +1121,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128, SSL_AES128,
SSL_SHA256, SSL_SHA256,
SSL_TLSV1_2, SSL_TLSV1_2,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -1137,7 +1137,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256, SSL_AES256,
SSL_SHA256, SSL_SHA256,
SSL_TLSV1_2, SSL_TLSV1_2,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256, 256,
256, 256,
@ -1168,7 +1168,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_GOST94, SSL_GOST94,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_STRONG_NONE, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE,
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94, SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94,
0, 0,
0 0
@ -1266,7 +1266,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256, SSL_CAMELLIA256,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256, 256,
256, 256,
@ -1285,7 +1285,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -1349,7 +1349,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -1413,7 +1413,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -1561,7 +1561,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_SEED, SSL_SEED,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -1741,7 +1741,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128GCM, SSL_AES128GCM,
SSL_AEAD, SSL_AEAD,
SSL_TLSV1_2, SSL_TLSV1_2,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128, 128,
128, 128,
@ -1757,7 +1757,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256GCM, SSL_AES256GCM,
SSL_AEAD, SSL_AEAD,
SSL_TLSV1_2, SSL_TLSV1_2,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256, 256,
256, 256,
@ -1903,7 +1903,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_SHA256, SSL_SHA256,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0, 0,
0, 0,
@ -1919,7 +1919,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_SHA384, SSL_SHA384,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0, 0,
0, 0,
@ -1967,7 +1967,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_SHA256, SSL_SHA256,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0, 0,
0, 0,
@ -1983,7 +1983,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_SHA384, SSL_SHA384,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0, 0,
0, 0,
@ -2031,7 +2031,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_SHA256, SSL_SHA256,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0, 0,
0, 0,
@ -2047,7 +2047,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_SHA384, SSL_SHA384,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0, 0,
0, 0,
@ -2147,7 +2147,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128, SSL_CAMELLIA128,
SSL_SHA256, SSL_SHA256,
SSL_TLSV1_2, SSL_TLSV1_2,
SSL_NOT_EXP | SSL_HIGH, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128, 128,
128, 128,
@ -2243,7 +2243,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256, SSL_CAMELLIA256,
SSL_SHA256, SSL_SHA256,
SSL_TLSV1_2, SSL_TLSV1_2,
SSL_NOT_EXP | SSL_HIGH, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256, 256,
256, 256,
@ -2278,7 +2278,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0, 0,
0, 0,
@ -2294,7 +2294,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -2358,7 +2358,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0, 0,
0, 0,
@ -2374,7 +2374,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -2438,7 +2438,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0, 0,
0, 0,
@ -2454,7 +2454,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -2518,7 +2518,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0, 0,
0, 0,
@ -2534,7 +2534,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -2598,7 +2598,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0, 0,
0, 0,
@ -2614,7 +2614,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -2630,7 +2630,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES, SSL_3DES,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112, 112,
168, 168,
@ -2646,7 +2646,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128, SSL_AES128,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -2662,7 +2662,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256, SSL_AES256,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256, 256,
256, 256,
@ -3087,7 +3087,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -3183,7 +3183,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0, 0,
0, 0,
@ -3199,7 +3199,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_SHA256, SSL_SHA256,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0, 0,
0, 0,
@ -3215,7 +3215,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL, SSL_eNULL,
SSL_SHA384, SSL_SHA384,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0, 0,
0, 0,

View file

@ -295,8 +295,7 @@ static const SSL_CIPHER cipher_aliases[] = {
* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in * "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
* ALL!) * ALL!)
*/ */
{0, SSL_TXT_CMPDEF, 0, SSL_kDHE | SSL_kECDHE, SSL_aNULL, ~SSL_eNULL, 0, 0, {0, SSL_TXT_CMPDEF, 0, 0, 0, ~SSL_eNULL, 0, 0, SSL_NOT_DEFAULT, 0, 0, 0},
0, 0, 0, 0},
/* /*
* key exchange aliases (some of those using only a single bit here * key exchange aliases (some of those using only a single bit here
@ -966,6 +965,9 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
if ((algo_strength & SSL_STRONG_MASK) if ((algo_strength & SSL_STRONG_MASK)
&& !(algo_strength & SSL_STRONG_MASK & cp->algo_strength)) && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
continue; continue;
if ((algo_strength & SSL_DEFAULT_MASK)
&& !(algo_strength & SSL_DEFAULT_MASK & cp->algo_strength))
continue;
} }
#ifdef CIPHER_DEBUG #ifdef CIPHER_DEBUG
@ -1251,6 +1253,20 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
ca_list[j]->algo_strength & SSL_STRONG_MASK; ca_list[j]->algo_strength & SSL_STRONG_MASK;
} }
if (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) {
if (algo_strength & SSL_DEFAULT_MASK) {
algo_strength &=
(ca_list[j]->algo_strength & SSL_DEFAULT_MASK) |
~SSL_DEFAULT_MASK;
if (!(algo_strength & SSL_DEFAULT_MASK)) {
found = 0;
break;
}
} else
algo_strength |=
ca_list[j]->algo_strength & SSL_DEFAULT_MASK;
}
if (ca_list[j]->valid) { if (ca_list[j]->valid) {
/* /*
* explicit ciphersuite found; its protocol version does not * explicit ciphersuite found; its protocol version does not

View file

@ -429,6 +429,7 @@
*/ */
# define SSL_EXP_MASK 0x00000003L # define SSL_EXP_MASK 0x00000003L
# define SSL_STRONG_MASK 0x000001fcL # define SSL_STRONG_MASK 0x000001fcL
# define SSL_DEFAULT_MASK 0X00000200L
# define SSL_NOT_EXP 0x00000001L # define SSL_NOT_EXP 0x00000001L
# define SSL_EXPORT 0x00000002L # define SSL_EXPORT 0x00000002L
@ -443,7 +444,9 @@
# define SSL_HIGH 0x00000080L # define SSL_HIGH 0x00000080L
# define SSL_FIPS 0x00000100L # define SSL_FIPS 0x00000100L
/* we have used 000001ff - 23 bits left to go */ # define SSL_NOT_DEFAULT 0x00000200L
/* we have used 000003ff - 22 bits left to go */
/*- /*-
* Macros to check the export status and cipher strength for export ciphers. * Macros to check the export status and cipher strength for export ciphers.