Skip to content

Commit

Permalink
Move the static "DH" ciphersuites into the "weak-ssl-ciphers" list
Browse files Browse the repository at this point in the history
Due to the Raccoon attack static "DH" ciphersuites have been moved to
the "weak-ssl-ciphers" list. Support for the "weak-ssl-ciphers" is not
compiled in by default. Support can be added by configuring OpenSSL at
compile time with the "enable-weak-ssl-ciphers" option.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
  • Loading branch information
mattcaswell committed Aug 31, 2020
1 parent 653394a commit 258aa81
Show file tree
Hide file tree
Showing 3 changed files with 32 additions and 9 deletions.
8 changes: 7 additions & 1 deletion CHANGES
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,13 @@

Changes between 1.0.2v and 1.0.2w [xx XXX xxxx]

*)
*) Due to the Raccoon attack static "DH" ciphersuites have been moved to the
"weak-ssl-ciphers" list. Support for the "weak-ssl-ciphers" is not compiled
in by default. Support can be added by configuring OpenSSL at compile time
with the "enable-weak-ssl-ciphers" option.
This is not recommended.
(CVE-2020-1968)
[Matt Caswell]

Changes between 1.0.2u and 1.0.2v [5 May 2020]

Expand Down
3 changes: 2 additions & 1 deletion NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@

Major changes between OpenSSL 1.0.2v and OpenSSL 1.0.2w [under development]

o
o Due to the Raccoon attack static "DH" ciphersuites have been moved to
the "weak-ssl-ciphers" list (CVE-2020-1968)

Major changes between OpenSSL 1.0.2u and OpenSSL 1.0.2v [5 May 2020]

Expand Down
30 changes: 23 additions & 7 deletions ssl/s3_lib.c
Original file line number Diff line number Diff line change
Expand Up @@ -352,10 +352,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
40,
56,
},
#endif

/* Cipher 0C */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
Expand All @@ -370,7 +368,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
56,
56,
},
#endif

/* Cipher 0D */
{
Expand All @@ -389,7 +386,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
},

/* Cipher 0E */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
0,
SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
Expand All @@ -404,10 +400,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
40,
56,
},
#endif

/* Cipher 0F */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
Expand All @@ -422,7 +416,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
56,
56,
},
#endif

/* Cipher 10 */
{
Expand All @@ -439,6 +432,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
112,
168,
},
#endif /* OPENSSL_NO_WEAK_SSL_CIPHERS */

/* The Ephemeral DH ciphers */
/* Cipher 11 */
Expand Down Expand Up @@ -941,6 +935,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},

#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
/* Cipher 30 */
{
1,
Expand Down Expand Up @@ -971,6 +967,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif

/* Cipher 32 */
{
1,
Expand Down Expand Up @@ -1032,6 +1030,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
256,
256,
},

#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
/* Cipher 36 */
{
1,
Expand Down Expand Up @@ -1063,6 +1063,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
256,
256,
},
#endif

/* Cipher 38 */
{
Expand Down Expand Up @@ -1161,6 +1162,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
256,
},

#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
/* Cipher 3E */
{
1,
Expand Down Expand Up @@ -1192,6 +1194,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif

/* Cipher 40 */
{
Expand Down Expand Up @@ -1228,6 +1231,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
128,
},

#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
/* Cipher 42 */
{
1,
Expand Down Expand Up @@ -1259,6 +1263,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif

/* Cipher 44 */
{
Expand Down Expand Up @@ -1451,6 +1456,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
128,
},

#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
/* Cipher 68 */
{
1,
Expand Down Expand Up @@ -1482,6 +1488,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
256,
256,
},
#endif

/* Cipher 6A */
{
Expand Down Expand Up @@ -1620,6 +1627,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
256,
256,
},

#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
/* Cipher 85 */
{
1,
Expand Down Expand Up @@ -1651,6 +1660,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
256,
256,
},
#endif

/* Cipher 87 */
{
Expand Down Expand Up @@ -1786,6 +1796,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
128,
},

#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
/* Cipher 97 */
{
1,
Expand Down Expand Up @@ -1817,6 +1828,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
#endif

/* Cipher 99 */
{
Expand Down Expand Up @@ -1934,6 +1946,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
256,
},

#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
/* Cipher A0 */
{
1,
Expand Down Expand Up @@ -1965,6 +1978,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
256,
256,
},
#endif

/* Cipher A2 */
{
Expand Down Expand Up @@ -1998,6 +2012,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
256,
},

#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
/* Cipher A4 */
{
1,
Expand Down Expand Up @@ -2029,6 +2044,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
256,
256,
},
#endif

/* Cipher A6 */
{
Expand Down

0 comments on commit 258aa81

Please sign in to comment.