diff options
author | Kamil Dudka <kdudka@redhat.com> | 2014-03-07 13:02:03 +0100 |
---|---|---|
committer | Kamil Dudka <kdudka@redhat.com> | 2014-03-15 13:07:55 +0100 |
commit | b4f6cd46eb1b5a98573e0c0e619dc71646affdc8 (patch) | |
tree | 84c5a22af2324a47854393023d6db3a990553ac4 | |
parent | 4c599b9d2d2f36d2ae45103fdd0afde44986a784 (diff) |
nss: do not enable AES cipher-suites by default
... but allow them to be enabled/disabled explicitly. The default
policy should be maintained at the NSS level.
-rw-r--r-- | lib/vtls/nss.c | 27 |
1 files changed, 4 insertions, 23 deletions
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 8e8a41ec0..e22b09841 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -123,6 +123,10 @@ static const cipher_s cipherlist[] = { {"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA}, {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA}, /* AES ciphers. */ + {"dhe_dss_aes_128_cbc_sha", TLS_DHE_DSS_WITH_AES_128_CBC_SHA}, + {"dhe_dss_aes_256_cbc_sha", TLS_DHE_DSS_WITH_AES_256_CBC_SHA}, + {"dhe_rsa_aes_128_cbc_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA}, + {"dhe_rsa_aes_256_cbc_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA}, {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA}, {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA}, /* ECC ciphers. */ @@ -153,18 +157,6 @@ static const cipher_s cipherlist[] = { {"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA}, }; -/* following ciphers are new in NSS 3.4 and not enabled by default, therefore - they are enabled explicitly */ -static const int enable_ciphers_by_default[] = { - TLS_DHE_DSS_WITH_AES_128_CBC_SHA, - TLS_DHE_DSS_WITH_AES_256_CBC_SHA, - TLS_DHE_RSA_WITH_AES_128_CBC_SHA, - TLS_DHE_RSA_WITH_AES_256_CBC_SHA, - TLS_RSA_WITH_AES_128_CBC_SHA, - TLS_RSA_WITH_AES_256_CBC_SHA, - SSL_NULL_WITH_NULL_NULL -}; - static const char* pem_library = "libnsspem.so"; SECMODModule* mod = NULL; @@ -1294,7 +1286,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; CURLcode curlerr; - const int *cipher_to_enable; PRSocketOptionData sock_opt; long time_left; PRUint32 timeout; @@ -1396,16 +1387,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) /* reset the flag to avoid an infinite loop */ data->state.ssl_connect_retry = FALSE; - /* enable all ciphers from enable_ciphers_by_default */ - cipher_to_enable = enable_ciphers_by_default; - while(SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) { - if(SSL_CipherPrefSet(model, *cipher_to_enable, PR_TRUE) != SECSuccess) { - curlerr = CURLE_SSL_CIPHER; - goto error; - } - cipher_to_enable++; - } - if(data->set.ssl.cipher_list) { if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) { curlerr = CURLE_SSL_CIPHER; |