Disable invalid ciphersuites

diff --git a/CHANGES b/CHANGES
index 3561011c3d509fe0ac7d6ac9def862d646e4c66f..82790879f981c54963b72666940e0334fafb8f21 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,21 @@
 
  Changes between 0.9.8b and 0.9.8c  [xx XXX xxxx]
 
+  *) Disable rogue ciphersuites:
+
+      - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
+      - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
+      - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
+
+     The latter two were purportedly from
+     draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
+     appear there.
+
+     Also deactive the remaining ciphersuites from
+     draft-ietf-tls-56-bit-ciphersuites-01.txt.  These are just as
+     unofficial, and the ID has long expired.
+     [Bodo Moeller]
+
   *) Fix RSA blinding Heisenbug (problems sometimes occured on
      dual-core machines) and other potential thread-safety issues.
      [Bodo Moeller]
@@ -930,6 +945,21 @@
 
  Changes between 0.9.7j and 0.9.7k  [xx XXX xxxx]
 
+  *) Disable rogue ciphersuites:
+
+      - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
+      - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
+      - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
+
+     The latter two were purportedly from
+     draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
+     appear there.
+
+     Also deactive the remaining ciphersuites from
+     draft-ietf-tls-56-bit-ciphersuites-01.txt.  These are just as
+     unofficial, and the ID has long expired.
+     [Bodo Moeller]
+
   *) Fix RSA blinding Heisenbug (problems sometimes occured on
      dual-core machines) and other potential thread-safety issues.
      [Bodo Moeller]

diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c
index d2cce7546d2ee2a965f43cb6f153b5ddd5d501a6..def3a6e89afd265ffefcb701949d54eecc52878e 100644 (file)
--- a/ssl/s2_lib.c
+++ b/ssl/s2_lib.c
@@ -178,7 +178,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
        SSL_ALL_STRENGTHS,
        },
 /* RC4_64_WITH_MD5 */
-#if 1
+#if 0
        {
        1,
        SSL2_TXT_RC4_64_WITH_MD5,

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index ca38c8615833691dd39c34d7c212668fb19cc5af..0eff243c1298a97f3c0014933464a85e7116fe82 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -986,7 +986,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 #endif /* OPENSSL_NO_CAMELLIA */
 
 #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
-       /* New TLS Export CipherSuites */
+       /* New TLS Export CipherSuites from expired ID */
+#if 0
        /* Cipher 60 */
            {
            1,
@@ -1013,6 +1014,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            SSL_ALL_CIPHERS,
            SSL_ALL_STRENGTHS,
            },
+#endif
        /* Cipher 62 */
            {
            1,

diff --git a/ssl/tls1.h b/ssl/tls1.h
index c3155e6fa824e565053120cd456f105a582b36e9..e5f9aa1ef6ff91f90ea2f277abba364fb1c29183 100644 (file)
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -78,7 +78,7 @@
 extern "C" {
 #endif
 
-#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES   1
+#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES   0
 
 #define TLS1_VERSION                   0x0301
 #define TLS1_VERSION_MAJOR             0x03