Rework the default cipherlist.

author Emilia Kasper <emilia@openssl.org>

Thu, 3 Mar 2016 18:50:03 +0000 (19:50 +0100)

committer Emilia Kasper <emilia@openssl.org>

Mon, 7 Mar 2016 15:53:42 +0000 (16:53 +0100)
author Emilia Kasper <emilia@openssl.org>
Thu, 3 Mar 2016 18:50:03 +0000 (19:50 +0100)
committer Emilia Kasper <emilia@openssl.org>
Mon, 7 Mar 2016 15:53:42 +0000 (16:53 +0100)
diff --git a/CHANGES b/CHANGES

index 8c4d9a50c65f0250211ffe4fcb93999e850401f1..f91ba054edf4b334aab17b197badb35c41bd6e72 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,15 @@
  
   Changes between 1.0.2g and 1.1.0  [xx XXX xxxx]
  
  
   Changes between 1.0.2g and 1.1.0  [xx XXX xxxx]
  
+  *) Changes to the DEFAULT cipherlist:
+       - Prefer (EC)DHE handshakes over plain RSA.
+       - Prefer AEAD ciphers over legacy ciphers.
+       - Prefer ECDSA over RSA when both certificates are available.
+       - Prefer TLSv1.2 ciphers/PRF.
+       - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
+         default cipherlist.
+     [Emilia Käsper]
+
    *) Change the ECC default curve list to be this, in order: x25519,
       secp256r1, secp521r1, secp384r1.
       [Rich Salz]
    *) Change the ECC default curve list to be this, in order: x25519,
       secp256r1, secp521r1, secp384r1.
       [Rich Salz]
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c

index c9b27eba4bce1d36b0339f791609bcb51dd46831..78aaf7bae8fa04383d9289b75b5bc4de039a9154 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -239,7 +239,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_IDEA,
       SSL_SHA1,
       SSL_SSLV3,
       SSL_IDEA,
       SSL_SHA1,
       SSL_SSLV3,
-     SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_MEDIUM,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128,
@@ -272,7 +272,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_3DES,
       SSL_SHA1,
       SSL_SSLV3,
       SSL_3DES,
       SSL_SHA1,
       SSL_SSLV3,
-     SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       112,
       168,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       112,
       168,
@@ -401,7 +401,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES128,
       SSL_SHA1,
       SSL_SSLV3,
       SSL_AES128,
       SSL_SHA1,
       SSL_SSLV3,
-     SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128,
@@ -463,7 +463,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES256,
       SSL_SHA1,
       SSL_SSLV3,
       SSL_AES256,
       SSL_SHA1,
       SSL_SSLV3,
-     SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       256,
       256,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       256,
       256,
@@ -560,7 +560,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES128,
       SSL_SHA256,
       SSL_TLSV1_2,
       SSL_AES128,
       SSL_SHA256,
       SSL_TLSV1_2,
-     SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128,
@@ -579,7 +579,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA128,
       SSL_SHA1,
       SSL_SSLV3,
       SSL_CAMELLIA128,
       SSL_SHA1,
       SSL_SSLV3,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128,
@@ -595,7 +595,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA128,
       SSL_SHA1,
       SSL_SSLV3,
       SSL_CAMELLIA128,
       SSL_SHA1,
       SSL_SSLV3,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128,
@@ -611,7 +611,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA128,
       SSL_SHA1,
       SSL_SSLV3,
       SSL_CAMELLIA128,
       SSL_SHA1,
       SSL_SSLV3,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128,
@@ -661,7 +661,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES256,
       SSL_SHA256,
       SSL_TLSV1_2,
       SSL_AES256,
       SSL_SHA256,
       SSL_TLSV1_2,
-     SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       256,
       256,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       256,
       256,
@@ -759,7 +759,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA256,
       SSL_SHA1,
       SSL_SSLV3,
       SSL_CAMELLIA256,
       SSL_SHA1,
       SSL_SSLV3,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       256,
       256,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       256,
       256,
@@ -775,7 +775,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA256,
       SSL_SHA1,
       SSL_SSLV3,
       SSL_CAMELLIA256,
       SSL_SHA1,
       SSL_SSLV3,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       256,
       256,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       256,
       256,
@@ -791,7 +791,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA256,
       SSL_SHA1,
       SSL_SSLV3,
       SSL_CAMELLIA256,
       SSL_SHA1,
       SSL_SSLV3,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       256,
       256,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       256,
       256,
@@ -1028,7 +1028,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_SEED,
       SSL_SHA1,
       SSL_SSLV3,
       SSL_SEED,
       SSL_SHA1,
       SSL_SSLV3,
-     SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_MEDIUM,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128,
@@ -1044,7 +1044,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_SEED,
       SSL_SHA1,
       SSL_SSLV3,
       SSL_SEED,
       SSL_SHA1,
       SSL_SSLV3,
-     SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_MEDIUM,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128,
@@ -1060,7 +1060,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_SEED,
       SSL_SHA1,
       SSL_SSLV3,
       SSL_SEED,
       SSL_SHA1,
       SSL_SSLV3,
-     SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_MEDIUM,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128,
@@ -1160,7 +1160,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES128GCM,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES128GCM,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
@@ -1176,7 +1176,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES256GCM,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES256GCM,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
       SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
       256,
       256,
       SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
       256,
       256,
@@ -1518,7 +1518,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA128,
       SSL_SHA256,
       SSL_TLSV1_2,
       SSL_CAMELLIA128,
       SSL_SHA256,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
@@ -1534,7 +1534,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA128,
       SSL_SHA256,
       SSL_TLSV1_2,
       SSL_CAMELLIA128,
       SSL_SHA256,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
@@ -1550,7 +1550,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA128,
       SSL_SHA256,
       SSL_TLSV1_2,
       SSL_CAMELLIA128,
       SSL_SHA256,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
@@ -1582,7 +1582,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA256,
       SSL_SHA256,
       SSL_TLSV1_2,
       SSL_CAMELLIA256,
       SSL_SHA256,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
@@ -1598,7 +1598,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA256,
       SSL_SHA256,
       SSL_TLSV1_2,
       SSL_CAMELLIA256,
       SSL_SHA256,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
@@ -1614,7 +1614,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA256,
       SSL_SHA256,
       SSL_TLSV1_2,
       SSL_CAMELLIA256,
       SSL_SHA256,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
@@ -1929,7 +1929,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_3DES,
       SSL_SHA1,
       SSL_SSLV3,
       SSL_3DES,
       SSL_SHA1,
       SSL_SSLV3,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       112,
       168,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       112,
       168,
@@ -1977,7 +1977,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES128,
       SSL_SHA1,
       SSL_SSLV3,
       SSL_AES128,
       SSL_SHA1,
       SSL_SSLV3,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128,
@@ -2025,7 +2025,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES256,
       SSL_SHA1,
       SSL_SSLV3,
       SSL_AES256,
       SSL_SHA1,
       SSL_SSLV3,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       256,
       256,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       256,
       256,
@@ -2323,7 +2323,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA128,
       SSL_SHA256,
       SSL_TLSV1_2,
       SSL_CAMELLIA128,
       SSL_SHA256,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128},
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128},
@@ -2337,7 +2337,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA256,
       SSL_SHA384,
       SSL_TLSV1_2,
       SSL_CAMELLIA256,
       SSL_SHA384,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
       256,
       256},
       SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
       256,
       256},
@@ -2351,7 +2351,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA128,
       SSL_SHA256,
       SSL_TLSV1_2,
       SSL_CAMELLIA128,
       SSL_SHA256,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128},
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128},
@@ -2365,7 +2365,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA256,
       SSL_SHA384,
       SSL_TLSV1_2,
       SSL_CAMELLIA256,
       SSL_SHA384,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
       256,
       256},
       SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
       256,
       256},
@@ -2383,7 +2383,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA128,
       SSL_SHA256,
       SSL_TLSV1,
       SSL_CAMELLIA128,
       SSL_SHA256,
       SSL_TLSV1,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128},
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128},
@@ -2397,7 +2397,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA256,
       SSL_SHA384,
       SSL_TLSV1,
       SSL_CAMELLIA256,
       SSL_SHA384,
       SSL_TLSV1,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
       256,
       256},
       SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
       256,
       256},
@@ -2411,7 +2411,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA128,
       SSL_SHA256,
       SSL_TLSV1,
       SSL_CAMELLIA128,
       SSL_SHA256,
       SSL_TLSV1,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128},
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128},
@@ -2425,7 +2425,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA256,
       SSL_SHA384,
       SSL_TLSV1,
       SSL_CAMELLIA256,
       SSL_SHA384,
       SSL_TLSV1,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
       256,
       256},
       SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
       256,
       256},
@@ -2439,7 +2439,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA128,
       SSL_SHA256,
       SSL_TLSV1,
       SSL_CAMELLIA128,
       SSL_SHA256,
       SSL_TLSV1,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128},
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128},
@@ -2453,7 +2453,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA256,
       SSL_SHA384,
       SSL_TLSV1,
       SSL_CAMELLIA256,
       SSL_SHA384,
       SSL_TLSV1,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
       256,
       256},
       SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
       256,
       256},
@@ -2467,7 +2467,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA128,
       SSL_SHA256,
       SSL_TLSV1,
       SSL_CAMELLIA128,
       SSL_SHA256,
       SSL_TLSV1,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128},
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
       128,
       128},
@@ -2481,7 +2481,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_CAMELLIA256,
       SSL_SHA384,
       SSL_TLSV1,
       SSL_CAMELLIA256,
       SSL_SHA384,
       SSL_TLSV1,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
       256,
       256},
       SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
       256,
       256},
@@ -2497,7 +2497,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES128CCM,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES128CCM,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
@@ -2513,7 +2513,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES256CCM,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES256CCM,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
@@ -2529,7 +2529,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES128CCM,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES128CCM,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
@@ -2545,7 +2545,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES256CCM,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES256CCM,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
@@ -2561,7 +2561,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES128CCM8,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES128CCM8,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
@@ -2577,7 +2577,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES256CCM8,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES256CCM8,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
@@ -2593,7 +2593,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES128CCM8,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES128CCM8,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
@@ -2609,7 +2609,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES256CCM8,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES256CCM8,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
@@ -2625,7 +2625,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES128CCM,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES128CCM,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
@@ -2641,7 +2641,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES256CCM,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES256CCM,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
@@ -2657,7 +2657,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES128CCM,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES128CCM,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
@@ -2673,7 +2673,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES256CCM,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES256CCM,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
@@ -2689,7 +2689,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES128CCM8,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES128CCM8,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
@@ -2705,7 +2705,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES256CCM8,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES256CCM8,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
@@ -2721,7 +2721,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES128CCM8,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES128CCM8,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
@@ -2737,7 +2737,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES256CCM8,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES256CCM8,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
@@ -2753,7 +2753,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES128CCM,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES128CCM,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
@@ -2769,7 +2769,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES256CCM,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES256CCM,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
@@ -2785,7 +2785,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES128CCM8,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES128CCM8,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       128,
       128,
@@ -2801,7 +2801,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
       SSL_AES256CCM8,
       SSL_AEAD,
       SSL_TLSV1_2,
       SSL_AES256CCM8,
       SSL_AEAD,
       SSL_TLSV1_2,
-     SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_HIGH,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
       SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
       256,
       256,
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c

index 376b7b62d595c9992b602b0d83b167db2f7f0a83..acf5c00dade5db316f796e24dab7b57fc04ac081 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -278,6 +278,11 @@ static int ssl_mac_secret_size[SSL_MD_NUM_IDX] = {
  #define CIPHER_DEL      3
  #define CIPHER_ORD      4
  #define CIPHER_SPECIAL  5
  #define CIPHER_DEL      3
  #define CIPHER_ORD      4
  #define CIPHER_SPECIAL  5
+/*
+ * Bump the ciphers to the top of the list.
+ * This rule isn't currently supported by the public cipherstring API.
+ */
+#define CIPHER_BUMP     6
  
  typedef struct cipher_order_st {
      const SSL_CIPHER *cipher;
  
  typedef struct cipher_order_st {
      const SSL_CIPHER *cipher;
@@ -896,7 +901,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
              algo_strength, strength_bits);
  #endif
  
              algo_strength, strength_bits);
  #endif
  
-    if (rule == CIPHER_DEL)
+    if (rule == CIPHER_DEL || rule == CIPHER_BUMP)
          reverse = 1;            /* needed to maintain sorting between
                                   * currently deleted ciphers */
  
          reverse = 1;            /* needed to maintain sorting between
                                   * currently deleted ciphers */
  
@@ -986,6 +991,9 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
                  ll_append_head(&head, curr, &tail);
                  curr->active = 0;
              }
                  ll_append_head(&head, curr, &tail);
                  curr->active = 0;
              }
+        } else if (rule == CIPHER_BUMP) {
+            if (curr->active)
+                ll_append_head(&head, curr, &tail);
          } else if (rule == CIPHER_KILL) {
              /* reverse == 0 */
              if (head == curr)
          } else if (rule == CIPHER_KILL) {
              /* reverse == 0 */
              if (head == curr)
@@ -1420,20 +1428,36 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
                                 disabled_mac, disabled_ssl, co_list, &head,
                                 &tail);
  
                                 disabled_mac, disabled_ssl, co_list, &head,
                                 &tail);
  
-    /* Now arrange all ciphers by preference: */
+    /* Now arrange all ciphers by preference. */
  
      /*
       * Everything else being equal, prefer ephemeral ECDH over other key
  
      /*
       * Everything else being equal, prefer ephemeral ECDH over other key
-     * exchange mechanisms
+     * exchange mechanisms.
+     * For consistency, prefer ECDSA over RSA (though this only matters if the
+     * server has both certificates, and is using the DEFAULT, or a client
+     * preference).
       */
       */
+    ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD,
+                          -1, &head, &tail);
      ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head,
                            &tail);
      ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
                            &tail);
  
      ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head,
                            &tail);
      ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
                            &tail);
  
-    /* AES is our preferred symmetric cipher */
-    ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head,
-                          &tail);
+
+    /* Within each strength group, we prefer GCM over CHACHA... */
+    ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
+                          &head, &tail);
+    ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
+                          &head, &tail);
+
+     /*
+      * ...and generally, our preferred cipher is AES.
+      * Note that AEADs will be bumped to take preference after sorting by
+      * strength.
+      */
+    ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD,
+                          -1, &head, &tail);
  
      /* Temporarily enable everything else for sorting */
      ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
  
      /* Temporarily enable everything else for sorting */
      ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
@@ -1472,6 +1496,33 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
          return NULL;
      }
  
          return NULL;
      }
  
+    /*
+     * Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.
+     * TODO(openssl-team): is there an easier way to accomplish all this?
+     */
+    ssl_cipher_apply_rule(0, 0, 0, 0, 0, SSL_TLSV1_2, 0, CIPHER_BUMP, -1,
+                          &head, &tail);
+
+    /*
+     * Irrespective of strength, enforce the following order:
+     * (EC)DHE + AEAD > (EC)DHE > rest of AEAD > rest.
+     * Within each group, ciphers remain sorted by strength and previous
+     * preference, i.e.,
+     * 1) ECDHE > DHE
+     * 2) GCM > CHACHA
+     * 3) AES > rest
+     * 4) TLS 1.2 > legacy
+     *
+     * Because we now bump ciphers to the top of the list, we proceed in
+     * reverse order of preference.
+     */
+    ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1,
+                          &head, &tail);
+    ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, 0, 0, 0,
+                          CIPHER_BUMP, -1,  &head, &tail);
+    ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, SSL_AEAD, 0, 0,
+                          CIPHER_BUMP, -1,  &head, &tail);
+
      /* Now disable everything (maintaining the ordering!) */
      ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
  
      /* Now disable everything (maintaining the ordering!) */
      ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
  
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h

index ca928e7d5d16f2ce581357b2dd28fb1963e10fea..4ea036dbf25067f0d18f274ecfb78c7822e1aaf6 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -358,7 +358,9 @@
  # define SSL_eGOST2814789CNT12   0x00040000U
  # define SSL_CHACHA20POLY1305    0x00080000U
  
  # define SSL_eGOST2814789CNT12   0x00040000U
  # define SSL_CHACHA20POLY1305    0x00080000U
  
-# define SSL_AES                 (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM|SSL_AES128CCM|SSL_AES256CCM|SSL_AES128CCM8|SSL_AES256CCM8)
+# define SSL_AESGCM              (SSL_AES128GCM | SSL_AES256GCM)
+# define SSL_AESCCM              (SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8)
+# define SSL_AES                 (SSL_AES128|SSL_AES256|SSL_AESGCM|SSL_AESCCM)
  # define SSL_CAMELLIA            (SSL_CAMELLIA128|SSL_CAMELLIA256)
  # define SSL_CHACHA20            (SSL_CHACHA20POLY1305)
  
  # define SSL_CAMELLIA            (SSL_CAMELLIA128|SSL_CAMELLIA256)
  # define SSL_CHACHA20            (SSL_CHACHA20POLY1305)
author	Emilia Kasper <emilia@openssl.org>
	Thu, 3 Mar 2016 18:50:03 +0000 (19:50 +0100)
committer	Emilia Kasper <emilia@openssl.org>
	Mon, 7 Mar 2016 15:53:42 +0000 (16:53 +0100)
CHANGES		patch \| blob \| history
ssl/s3_lib.c		patch \| blob \| history
ssl/ssl_ciph.c		patch \| blob \| history
ssl/ssl_locl.h		patch \| blob \| history