From 4a8e9c22f42065e603ecdac7fd4691e6c3c06b72 Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Thu, 5 May 2016 17:08:41 -0400 Subject: [PATCH] Move 3DES from HIGH to MEDIUM Reviewed-by: Viktor Dukhovni --- CHANGES | 2 ++ ssl/s3_lib.c | 28 ++++++++++++++-------------- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/CHANGES b/CHANGES index 7aececbd83..3d91a6bc0f 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,8 @@ Changes between 1.0.2g and 1.1.0 [xx XXX xxxx] + *) Triple-DES ciphers have been moved from HIGH to MEDIUM. + *) To enable users to have their own config files and build file templates, Configure looks in the directory indicated by the environment variable OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/ diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index fc2aac890e..9064abb7ce 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -208,7 +208,7 @@ static SSL_CIPHER ssl3_ciphers[] = SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_VERSION, DTLS1_2_VERSION, - SSL_HIGH | SSL_FIPS, + SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -223,7 +223,7 @@ static SSL_CIPHER ssl3_ciphers[] = SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_VERSION, DTLS1_2_VERSION, - SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -238,7 +238,7 @@ static SSL_CIPHER ssl3_ciphers[] = SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_VERSION, DTLS1_2_VERSION, - SSL_HIGH | SSL_FIPS, + SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -253,7 +253,7 @@ static SSL_CIPHER ssl3_ciphers[] = SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_VERSION, DTLS1_2_VERSION, - SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -960,7 +960,7 @@ static SSL_CIPHER ssl3_ciphers[] = SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_VERSION, DTLS1_2_VERSION, - SSL_HIGH | SSL_FIPS, + SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1020,7 +1020,7 @@ static SSL_CIPHER ssl3_ciphers[] = SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_VERSION, DTLS1_2_VERSION, - SSL_HIGH | SSL_FIPS, + SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1080,7 +1080,7 @@ static SSL_CIPHER ssl3_ciphers[] = SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_VERSION, DTLS1_2_VERSION, - SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1293,7 +1293,7 @@ static SSL_CIPHER ssl3_ciphers[] = SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_VERSION, DTLS1_2_VERSION, - SSL_HIGH | SSL_FIPS, + SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1338,7 +1338,7 @@ static SSL_CIPHER ssl3_ciphers[] = SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_VERSION, DTLS1_2_VERSION, - SSL_HIGH | SSL_FIPS, + SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1383,7 +1383,7 @@ static SSL_CIPHER ssl3_ciphers[] = SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_VERSION, DTLS1_2_VERSION, - SSL_HIGH | SSL_FIPS, + SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1699,7 +1699,7 @@ static SSL_CIPHER ssl3_ciphers[] = SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_VERSION, DTLS1_2_VERSION, - SSL_HIGH | SSL_FIPS, + SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1823,7 +1823,7 @@ static SSL_CIPHER ssl3_ciphers[] = SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_VERSION, DTLS1_2_VERSION, - SSL_HIGH, + SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1838,7 +1838,7 @@ static SSL_CIPHER ssl3_ciphers[] = SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_VERSION, DTLS1_2_VERSION, - SSL_HIGH, + SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1853,7 +1853,7 @@ static SSL_CIPHER ssl3_ciphers[] = SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_VERSION, DTLS1_2_VERSION, - SSL_NOT_DEFAULT | SSL_HIGH, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, -- 2.34.1