Remove experimental 56bit export ciphers

author Rich Salz <rsalz@openssl.org>

Fri, 27 Feb 2015 20:06:41 +0000 (15:06 -0500)

committer Rich Salz <rsalz@openssl.org>

Sun, 1 Mar 2015 21:18:16 +0000 (16:18 -0500)
author Rich Salz <rsalz@openssl.org>
Fri, 27 Feb 2015 20:06:41 +0000 (15:06 -0500)
committer Rich Salz <rsalz@openssl.org>
Sun, 1 Mar 2015 21:18:16 +0000 (16:18 -0500)
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c

index ab19eebaea792eeaa5cb42947867cd718d7e5c84..20ce112e5ff471fd485e04aba6c572f30eebd222 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1212,88 +1212,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
       },
  #endif                          /* OPENSSL_NO_CAMELLIA */
  
       },
  #endif                          /* OPENSSL_NO_CAMELLIA */
  
-#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
-    /* Cipher 62 */
-    {
-     1,
-     TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-     TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-     SSL_kRSA,
-     SSL_aRSA,
-     SSL_DES,
-     SSL_SHA1,
-     SSL_TLSV1,
-     SSL_EXPORT | SSL_EXP56,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     56,
-     56,
-     },
-
-    /* Cipher 63 */
-    {
-     1,
-     TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
-     TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
-     SSL_kDHE,
-     SSL_aDSS,
-     SSL_DES,
-     SSL_SHA1,
-     SSL_TLSV1,
-     SSL_EXPORT | SSL_EXP56,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     56,
-     56,
-     },
-
-    /* Cipher 64 */
-    {
-     1,
-     TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
-     TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
-     SSL_kRSA,
-     SSL_aRSA,
-     SSL_RC4,
-     SSL_SHA1,
-     SSL_TLSV1,
-     SSL_EXPORT | SSL_EXP56,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     56,
-     128,
-     },
-
-    /* Cipher 65 */
-    {
-     1,
-     TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
-     TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
-     SSL_kDHE,
-     SSL_aDSS,
-     SSL_RC4,
-     SSL_SHA1,
-     SSL_TLSV1,
-     SSL_EXPORT | SSL_EXP56,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     56,
-     128,
-     },
-
-    /* Cipher 66 */
-    {
-     1,
-     TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
-     TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
-     SSL_kDHE,
-     SSL_aDSS,
-     SSL_RC4,
-     SSL_SHA1,
-     SSL_TLSV1,
-     SSL_NOT_EXP | SSL_MEDIUM,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     128,
-     128,
-     },
-#endif
-
      /* TLS v1.2 ciphersuites */
      /* Cipher 67 */
      {
      /* TLS v1.2 ciphersuites */
      /* Cipher 67 */
      {
diff --git a/ssl/tls1.h b/ssl/tls1.h

index af03f13938ad12e09cd3c891f443a981a8432fb7..cb14d8e89f2858ad27366e3ca0011f8e05345c25 100644 (file)
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -162,8 +162,6 @@ extern "C" {
  #  define OPENSSL_TLS_SECURITY_LEVEL 1
  # endif
  
  #  define OPENSSL_TLS_SECURITY_LEVEL 1
  # endif
  
-# define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES    0
-
  # define TLS1_VERSION                    0x0301
  # define TLS1_1_VERSION                  0x0302
  # define TLS1_2_VERSION                  0x0303
  # define TLS1_VERSION                    0x0301
  # define TLS1_1_VERSION                  0x0302
  # define TLS1_2_VERSION                  0x0303
@@ -411,23 +409,6 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
  # define TLS1_CK_PSK_WITH_AES_128_CBC_SHA                0x0300008C
  # define TLS1_CK_PSK_WITH_AES_256_CBC_SHA                0x0300008D
  
  # define TLS1_CK_PSK_WITH_AES_128_CBC_SHA                0x0300008C
  # define TLS1_CK_PSK_WITH_AES_256_CBC_SHA                0x0300008D
  
-/*
- * Additional TLS ciphersuites from expired Internet Draft
- * draft-ietf-tls-56-bit-ciphersuites-01.txt (available if
- * TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see s3_lib.c).  We
- * actually treat them like SSL 3.0 ciphers, which we probably shouldn't.
- * Note that the first two are actually not in the IDs.
- */
-# define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5          0x03000060/* not in
-                                                                    * ID */
-# define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5      0x03000061/* not in
-                                                                    * ID */
-# define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA         0x03000062
-# define TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA     0x03000063
-# define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA          0x03000064
-# define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA      0x03000065
-# define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA                0x03000066
-
  /* AES ciphersuites from RFC3268 */
  
  # define TLS1_CK_RSA_WITH_AES_128_SHA                    0x0300002F
  /* AES ciphersuites from RFC3268 */
  
  # define TLS1_CK_RSA_WITH_AES_128_SHA                    0x0300002F
author	Rich Salz <rsalz@openssl.org>
	Fri, 27 Feb 2015 20:06:41 +0000 (15:06 -0500)
committer	Rich Salz <rsalz@openssl.org>
	Sun, 1 Mar 2015 21:18:16 +0000 (16:18 -0500)
ssl/s3_lib.c		patch \| blob \| history
ssl/tls1.h		patch \| blob \| history