Skip to content

Commit

Permalink
Remove experimental 56bit export ciphers
Browse files Browse the repository at this point in the history 
These ciphers are removed:
    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5
    TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
    TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA
    TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA
    TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
    TLS1_CK_DHE_DSS_WITH_RC4_128_SHA
They were defined in a long-expired IETF internet-draft:
draft-ietf-tls-56-bit-ciphersuites-01.txt

Reviewed-by: Richard Levitte <levitte@openssl.org>
  • Loading branch information
Rich Salz committed Mar 1, 2015
1 parent af674d4 commit a258afa
Show file tree
Hide file tree
Showing 2 changed files with 0 additions and 101 deletions.
82 changes: 0 additions & 82 deletions ssl/s3_lib.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1212,88 +1212,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
},
#endif /* OPENSSL_NO_CAMELLIA */
#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
/* Cipher 62 */
{
1,
TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
SSL_kRSA,
SSL_aRSA,
SSL_DES,
SSL_SHA1,
SSL_TLSV1,
SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
},

/* Cipher 63 */
{
1,
TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
SSL_kDHE,
SSL_aDSS,
SSL_DES,
SSL_SHA1,
SSL_TLSV1,
SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
},

/* Cipher 64 */
{
1,
TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
SSL_kRSA,
SSL_aRSA,
SSL_RC4,
SSL_SHA1,
SSL_TLSV1,
SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
128,
},

/* Cipher 65 */
{
1,
TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
SSL_kDHE,
SSL_aDSS,
SSL_RC4,
SSL_SHA1,
SSL_TLSV1,
SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
128,
},

/* Cipher 66 */
{
1,
TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
SSL_kDHE,
SSL_aDSS,
SSL_RC4,
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
#endif

/* TLS v1.2 ciphersuites */
/* Cipher 67 */
{
Expand Down
19 changes: 0 additions & 19 deletions ssl/tls1.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,8 +162,6 @@ extern "C" {
# define OPENSSL_TLS_SECURITY_LEVEL 1
# endif

# define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0

# define TLS1_VERSION 0x0301
# define TLS1_1_VERSION 0x0302
# define TLS1_2_VERSION 0x0303
Expand Down Expand Up @@ -411,23 +409,6 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
# define TLS1_CK_PSK_WITH_AES_128_CBC_SHA 0x0300008C
# define TLS1_CK_PSK_WITH_AES_256_CBC_SHA 0x0300008D

/*
* Additional TLS ciphersuites from expired Internet Draft
* draft-ietf-tls-56-bit-ciphersuites-01.txt (available if
* TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see s3_lib.c). We
* actually treat them like SSL 3.0 ciphers, which we probably shouldn't.
* Note that the first two are actually not in the IDs.
*/
# define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 0x03000060/* not in
* ID */
# define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 0x03000061/* not in
* ID */
# define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x03000062
# define TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x03000063
# define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA 0x03000064
# define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x03000065
# define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA 0x03000066

/* AES ciphersuites from RFC3268 */

# define TLS1_CK_RSA_WITH_AES_128_SHA 0x0300002F
Expand Down

0 comments on commit a258afa

Please sign in to comment.