You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
234 lines
12 KiB
234 lines
12 KiB
diff -up nss/lib/ssl/ssl3con.c.reorder-cipher-suites nss/lib/ssl/ssl3con.c |
|
--- nss/lib/ssl/ssl3con.c.reorder-cipher-suites 2017-04-26 11:47:33.690047402 +0200 |
|
+++ nss/lib/ssl/ssl3con.c 2017-04-26 11:51:51.103013632 +0200 |
|
@@ -91,54 +91,44 @@ PRBool ssl_IsRsaPssSignatureScheme(SSLSi |
|
/* clang-format off */ |
|
static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { |
|
/* cipher_suite policy enabled isPresent */ |
|
- /* Special TLS 1.3 suites. */ |
|
- { TLS_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE }, |
|
- { TLS_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE }, |
|
- { TLS_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE }, |
|
- |
|
- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
- { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
- { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
{ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around |
|
- * bug 946147. |
|
- */ |
|
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
+ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
+ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
+ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
+ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
- |
|
+ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
+ { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
+ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
+ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
{ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE}, |
|
{ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
- { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
{ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
{ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
{ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
{ TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
- |
|
{ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
@@ -147,27 +137,21 @@ static ssl3CipherSuiteCfg cipherSuites[s |
|
{ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
- |
|
- /* RSA */ |
|
- { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
{ TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
- { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
- { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
{ TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
{ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
+ { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
+ { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
+ { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
+ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
{ TLS_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
{ TLS_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE}, |
|
- |
|
- /* 56-bit DES "domestic" cipher suites */ |
|
{ TLS_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_DHE_DSS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
- |
|
- /* ciphersuites with no encryption */ |
|
{ TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
@@ -175,6 +159,9 @@ static ssl3CipherSuiteCfg cipherSuites[s |
|
{ TLS_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
{ TLS_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, |
|
+ { TLS_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE }, |
|
+ { TLS_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE }, |
|
+ { TLS_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE }, |
|
}; |
|
/* clang-format on */ |
|
|
|
diff -up nss/lib/ssl/sslenum.c.reorder-cipher-suites nss/lib/ssl/sslenum.c |
|
--- nss/lib/ssl/sslenum.c.reorder-cipher-suites 2017-04-26 11:46:50.215066457 +0200 |
|
+++ nss/lib/ssl/sslenum.c 2017-04-26 11:47:09.362617638 +0200 |
|
@@ -55,53 +55,44 @@ |
|
* the third one. |
|
*/ |
|
const PRUint16 SSL_ImplementedCiphers[] = { |
|
- TLS_AES_128_GCM_SHA256, |
|
- TLS_CHACHA20_POLY1305_SHA256, |
|
- TLS_AES_256_GCM_SHA384, |
|
- |
|
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, |
|
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, |
|
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, |
|
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, |
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, |
|
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, |
|
- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before |
|
- * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147. |
|
- */ |
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, |
|
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, |
|
+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, |
|
+ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, |
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, |
|
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, |
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, |
|
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, |
|
+ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, |
|
+ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, |
|
+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, |
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, |
|
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, |
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, |
|
- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, |
|
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, |
|
+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, |
|
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, |
|
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, |
|
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, |
|
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, |
|
TLS_ECDHE_RSA_WITH_RC4_128_SHA, |
|
- |
|
+ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, |
|
+ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, |
|
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, |
|
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, |
|
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, |
|
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, |
|
+ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, |
|
+ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, |
|
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, |
|
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, |
|
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, |
|
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, |
|
- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, |
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, |
|
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, |
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, |
|
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, |
|
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, |
|
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, |
|
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA, |
|
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA, |
|
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, |
|
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, |
|
- TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, |
|
- TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, |
|
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, |
|
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, |
|
TLS_DHE_DSS_WITH_RC4_128_SHA, |
|
- |
|
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, |
|
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, |
|
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, |
|
@@ -110,26 +101,21 @@ const PRUint16 SSL_ImplementedCiphers[] |
|
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, |
|
TLS_ECDH_ECDSA_WITH_RC4_128_SHA, |
|
TLS_ECDH_RSA_WITH_RC4_128_SHA, |
|
- |
|
- TLS_RSA_WITH_AES_128_GCM_SHA256, |
|
TLS_RSA_WITH_AES_256_GCM_SHA384, |
|
- TLS_RSA_WITH_AES_128_CBC_SHA, |
|
- TLS_RSA_WITH_AES_128_CBC_SHA256, |
|
- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, |
|
TLS_RSA_WITH_AES_256_CBC_SHA, |
|
TLS_RSA_WITH_AES_256_CBC_SHA256, |
|
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, |
|
+ TLS_RSA_WITH_AES_128_GCM_SHA256, |
|
+ TLS_RSA_WITH_AES_128_CBC_SHA, |
|
+ TLS_RSA_WITH_AES_128_CBC_SHA256, |
|
+ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, |
|
TLS_RSA_WITH_SEED_CBC_SHA, |
|
TLS_RSA_WITH_3DES_EDE_CBC_SHA, |
|
TLS_RSA_WITH_RC4_128_SHA, |
|
TLS_RSA_WITH_RC4_128_MD5, |
|
- |
|
- /* 56-bit DES "domestic" cipher suites */ |
|
TLS_DHE_RSA_WITH_DES_CBC_SHA, |
|
TLS_DHE_DSS_WITH_DES_CBC_SHA, |
|
TLS_RSA_WITH_DES_CBC_SHA, |
|
- |
|
- /* ciphersuites with no encryption */ |
|
TLS_ECDHE_ECDSA_WITH_NULL_SHA, |
|
TLS_ECDHE_RSA_WITH_NULL_SHA, |
|
TLS_ECDH_RSA_WITH_NULL_SHA, |
|
@@ -137,6 +123,9 @@ const PRUint16 SSL_ImplementedCiphers[] |
|
TLS_RSA_WITH_NULL_SHA, |
|
TLS_RSA_WITH_NULL_SHA256, |
|
TLS_RSA_WITH_NULL_MD5, |
|
+ TLS_AES_128_GCM_SHA256, |
|
+ TLS_CHACHA20_POLY1305_SHA256, |
|
+ TLS_AES_256_GCM_SHA384, |
|
|
|
0 |
|
};
|
|
|