Skip to content

Commit

Permalink
Remove ECDH(E) ciphers from SSLv3
Browse files Browse the repository at this point in the history 
SSLv3 does not support TLS extensions, and thus, cannot provide any
curves for ECDH(E). With the removal of the default (all) list of curves
being used for connections that didn't provide any curves, ECDHE is no
longer possible.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from #3181)
  • Loading branch information
@tmshort
tmshort authored and Rich Salz committed Apr 11, 2017
1 parent cbbe918 commit fe55c4a
Showing 1 changed file with 20 additions and 20 deletions.
40 changes: 20 additions & 20 deletions ssl/s3_lib.c
View file
Expand Up @@ -931,7 +931,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_eNULL,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
Expand All @@ -947,7 +947,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_3DES,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
Expand All @@ -963,7 +963,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_AES128,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
Expand All @@ -978,7 +978,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_AES256,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
Expand All @@ -993,7 +993,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_eNULL,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
Expand All @@ -1009,7 +1009,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_3DES,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
Expand All @@ -1025,7 +1025,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
Expand All @@ -1040,7 +1040,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
Expand All @@ -1055,7 +1055,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_eNULL,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
Expand All @@ -1071,7 +1071,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_3DES,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
Expand All @@ -1087,7 +1087,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_AES128,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
Expand All @@ -1102,7 +1102,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_AES256,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
Expand Down Expand Up @@ -1698,7 +1698,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_3DES,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
Expand All @@ -1714,7 +1714,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES128,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
Expand All @@ -1729,7 +1729,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES256,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
Expand Down Expand Up @@ -1774,7 +1774,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_eNULL,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
Expand Down Expand Up @@ -2701,7 +2701,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
Expand All @@ -2716,7 +2716,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
Expand All @@ -2731,7 +2731,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
Expand All @@ -2746,7 +2746,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
Expand Down

0 comments on commit fe55c4a

Please sign in to comment.