From ef28891bab7054667f2f6739f6d376c38b3ca1cc Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Thu, 18 Aug 2016 08:56:42 -0400 Subject: [PATCH] Put DES into "not default" category. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Add CVE to CHANGES Reviewed-by: Emilia Käsper --- CHANGES | 5 +++-- ssl/s3_lib.c | 22 +++++++++++----------- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/CHANGES b/CHANGES index fb4e7a53db..78a5a4d51c 100644 --- a/CHANGES +++ b/CHANGES @@ -4,8 +4,9 @@ Changes between 1.0.2h and 1.1.0 [xx XXX xxxx] - *) Because of the SWEET32 attack, 3DES cipher suites have been disabled by - default like RC4. See the RC4 item below to re-enable both. + *) To mitigate the SWEET32 attack (CVE-2016-2183), 3DES cipher suites + have been disabled by default and removed from DEFAULT, just like RC4. + See the RC4 item below to re-enable both. [Rich Salz] *) The method for finding the storage location for the Windows RAND seed file diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 1baf9936ba..e94ee83717 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -57,7 +57,7 @@ #define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers) /* - * The list of available ciphers, organized into the following + * The list of available ciphers, mostly organized into the following * groups: * Always there * EC @@ -108,7 +108,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -138,7 +138,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -862,7 +862,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -924,7 +924,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1201,7 +1201,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1248,7 +1248,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1295,7 +1295,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1613,7 +1613,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1739,7 +1739,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1754,7 +1754,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, -- 2.40.0