[openssl] master update
tomas at openssl.org
tomas at openssl.org
Thu Sep 23 12:18:11 UTC 2021
The branch master has been updated
via c3b5fa4ab7d19e35311a21fec3ebc0a333c352b6 (commit)
from eeb612021e220de734e1ff08499f42bb962c3916 (commit)
- Log -----------------------------------------------------------------
commit c3b5fa4ab7d19e35311a21fec3ebc0a333c352b6
Author: slontis <shane.lontis at oracle.com>
Date: Wed Sep 22 15:53:54 2021 +1000
Change TLS RC4 cipher strength check to be data driven.
This is a same pattern as used in PR #16652
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16656)
-----------------------------------------------------------------------
Summary of changes:
ssl/s3_lib.c | 20 ++++++++++----------
ssl/ssl_cert.c | 3 ---
2 files changed, 10 insertions(+), 13 deletions(-)
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 348d02d8bd..ef027d79e0 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2807,7 +2807,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 80,
128,
},
{
@@ -2823,7 +2823,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 80,
128,
},
{
@@ -2839,7 +2839,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 80,
128,
},
{
@@ -2855,7 +2855,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 80,
128,
},
{
@@ -2871,7 +2871,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 80,
128,
},
{
@@ -2887,7 +2887,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 80,
128,
},
{
@@ -2903,7 +2903,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 80,
128,
},
{
@@ -2919,7 +2919,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 80,
128,
},
{
@@ -2935,7 +2935,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 80,
128,
},
{
@@ -2951,7 +2951,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 80,
128,
},
#endif /* OPENSSL_NO_WEAK_SSL_CIPHERS */
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 547e9b9ccd..a9e71046b3 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1021,9 +1021,6 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
/* SHA1 HMAC is 160 bits of security */
if (minbits > 160 && c->algorithm_mac & SSL_SHA1)
return 0;
- /* Level 2: no RC4 */
- if (level >= 2 && c->algorithm_enc == SSL_RC4)
- return 0;
/* Level 3: forward secure ciphersuites only */
if (level >= 3 && c->min_tls != TLS1_3_VERSION &&
!(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
More information about the openssl-commits
mailing list