Merge remote-tracking branch 'restricted/pr/528' into development
* restricted/pr/528: Update query_config.c Fix failure in SSLv3 per-version suites test Adjust DES exclude lists in test scripts Clarify 3DES changes in ChangeLog Fix documentation for 3DES removal Exclude 3DES tests in test scripts Fix wording of ChangeLog and 3DES_REMOVE docs Reduce priority of 3DES ciphersuites
This commit is contained in:
Simon Butcher
commit
195bddebcc
10 changed files with 94 additions and 31 deletions
|
|
@ -687,6 +687,26 @@
|
|||
*/
|
||||
#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_REMOVE_3DES_CIPHERSUITES
|
||||
*
|
||||
* Remove 3DES ciphersuites by default in SSL / TLS.
|
||||
* This flag removes the ciphersuites based on 3DES from the default list as
|
||||
* returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible
|
||||
* to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
|
||||
* them explicitly.
|
||||
*
|
||||
* A man-in-the-browser attacker can recover authentication tokens sent through
|
||||
* a TLS connection using a 3DES based cipher suite (see "On the Practical
|
||||
* (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
|
||||
* Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
|
||||
* in your threat model or you are unsure, then you should keep this option
|
||||
* enabled to remove 3DES based cipher suites.
|
||||
*
|
||||
* Comment this macro to keep 3DES in the default ciphersuite list.
|
||||
*/
|
||||
#define MBEDTLS_REMOVE_3DES_CIPHERSUITES
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
||||
*
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue