From: Bodo Möller Date: Wed, 14 Jun 2006 17:51:46 +0000 (+0000) Subject: Disable invalid ciphersuites X-Git-Tag: OpenSSL_0_9_8k^2~1251 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=5b57fe0a1ed1162d4bbaed28d5046300be42d6ec;p=oweals%2Fopenssl.git Disable invalid ciphersuites --- diff --git a/CHANGES b/CHANGES index 2cf3cd22b2..0d4435913c 100644 --- a/CHANGES +++ b/CHANGES @@ -250,21 +250,6 @@ implementations, between 32- and 64-bit builds without hassle. [Andy Polyakov] - *) Disable rogue ciphersuites: - - - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") - - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") - - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") - - The latter two were purportedly from - draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really - appear there. - - Other ciphersuites from draft-ietf-tls-56-bit-ciphersuites-01.txt - remain enabled for now, but are just as unofficial, and the ID - has long expired; these will probably disappear soon. - [Bodo Moeller] - *) Move code previously exiled into file crypto/ec/ec2_smpt.c to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP macro. @@ -322,6 +307,21 @@ Changes between 0.9.8b and 0.9.8c [xx XXX xxxx] + *) Disable rogue ciphersuites: + + - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") + - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") + - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") + + The latter two were purportedly from + draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really + appear there. + + Also deactive the remaining ciphersuites from + draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as + unofficial, and the ID has long expired. + [Bodo Moeller] + *) Fix RSA blinding Heisenbug (problems sometimes occured on dual-core machines) and other potential thread-safety issues. [Bodo Moeller] @@ -1248,6 +1248,21 @@ Changes between 0.9.7j and 0.9.7k [xx XXX xxxx] + *) Disable rogue ciphersuites: + + - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") + - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") + - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") + + The latter two were purportedly from + draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really + appear there. + + Also deactive the remaining ciphersuites from + draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as + unofficial, and the ID has long expired. + [Bodo Moeller] + *) Fix RSA blinding Heisenbug (problems sometimes occured on dual-core machines) and other potential thread-safety issues. [Bodo Moeller] diff --git a/ssl/tls1.h b/ssl/tls1.h index 1c1ca1533b..d6687a8fe4 100644 --- a/ssl/tls1.h +++ b/ssl/tls1.h @@ -157,7 +157,7 @@ extern "C" { #endif -#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 1 +#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0 #define TLS1_VERSION 0x0301 #define TLS1_VERSION_MAJOR 0x03