aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKamil Dudka <kdudka@redhat.com>2014-03-07 13:02:03 +0100
committerKamil Dudka <kdudka@redhat.com>2014-03-15 13:07:55 +0100
commitb4f6cd46eb1b5a98573e0c0e619dc71646affdc8 (patch)
tree84c5a22af2324a47854393023d6db3a990553ac4
parent4c599b9d2d2f36d2ae45103fdd0afde44986a784 (diff)
nss: do not enable AES cipher-suites by default
... but allow them to be enabled/disabled explicitly. The default policy should be maintained at the NSS level.
-rw-r--r--lib/vtls/nss.c27
1 files changed, 4 insertions, 23 deletions
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 8e8a41ec0..e22b09841 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -123,6 +123,10 @@ static const cipher_s cipherlist[] = {
{"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA},
{"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA},
/* AES ciphers. */
+ {"dhe_dss_aes_128_cbc_sha", TLS_DHE_DSS_WITH_AES_128_CBC_SHA},
+ {"dhe_dss_aes_256_cbc_sha", TLS_DHE_DSS_WITH_AES_256_CBC_SHA},
+ {"dhe_rsa_aes_128_cbc_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
+ {"dhe_rsa_aes_256_cbc_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
{"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA},
{"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA},
/* ECC ciphers. */
@@ -153,18 +157,6 @@ static const cipher_s cipherlist[] = {
{"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA},
};
-/* following ciphers are new in NSS 3.4 and not enabled by default, therefore
- they are enabled explicitly */
-static const int enable_ciphers_by_default[] = {
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
- TLS_RSA_WITH_AES_128_CBC_SHA,
- TLS_RSA_WITH_AES_256_CBC_SHA,
- SSL_NULL_WITH_NULL_NULL
-};
-
static const char* pem_library = "libnsspem.so";
SECMODModule* mod = NULL;
@@ -1294,7 +1286,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
curl_socket_t sockfd = conn->sock[sockindex];
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
CURLcode curlerr;
- const int *cipher_to_enable;
PRSocketOptionData sock_opt;
long time_left;
PRUint32 timeout;
@@ -1396,16 +1387,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
/* reset the flag to avoid an infinite loop */
data->state.ssl_connect_retry = FALSE;
- /* enable all ciphers from enable_ciphers_by_default */
- cipher_to_enable = enable_ciphers_by_default;
- while(SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) {
- if(SSL_CipherPrefSet(model, *cipher_to_enable, PR_TRUE) != SECSuccess) {
- curlerr = CURLE_SSL_CIPHER;
- goto error;
- }
- cipher_to_enable++;
- }
-
if(data->set.ssl.cipher_list) {
if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
curlerr = CURLE_SSL_CIPHER;