Remove 3DES ciphersuites
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
This commit is contained in:
TRodziewicz
parent
f1eb425782
commit
3670e387dc
6 changed files with 23 additions and 196 deletions
|
|
@ -682,26 +682,6 @@
|
|||
*/
|
||||
//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_REMOVE_3DES_CIPHERSUITES
|
||||
*
|
||||
* Remove 3DES ciphersuites by default in SSL / TLS.
|
||||
* This flag removes the ciphersuites based on 3DES from the default list as
|
||||
* returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible
|
||||
* to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
|
||||
* them explicitly.
|
||||
*
|
||||
* A man-in-the-browser attacker can recover authentication tokens sent through
|
||||
* a TLS connection using a 3DES based cipher suite (see "On the Practical
|
||||
* (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
|
||||
* Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
|
||||
* in your threat model or you are unsure, then you should keep this option
|
||||
* enabled to remove 3DES based cipher suites.
|
||||
*
|
||||
* Comment this macro to keep 3DES in the default ciphersuite list.
|
||||
*/
|
||||
#define MBEDTLS_REMOVE_3DES_CIPHERSUITES
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
||||
*
|
||||
|
|
@ -843,7 +823,6 @@
|
|||
* MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
|
||||
|
||||
|
|
@ -866,7 +845,6 @@
|
|||
* MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
*
|
||||
* \warning Using DHE constitutes a security risk as it
|
||||
* is not possible to validate custom DH parameters.
|
||||
|
|
@ -892,7 +870,6 @@
|
|||
* MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
|
||||
|
||||
|
|
@ -916,7 +893,6 @@
|
|||
* MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
||||
|
||||
|
|
@ -942,7 +918,6 @@
|
|||
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||
* MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
|
||||
|
|
@ -968,7 +943,6 @@
|
|||
* MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
*
|
||||
* \warning Using DHE constitutes a security risk as it
|
||||
* is not possible to validate custom DH parameters.
|
||||
|
|
@ -999,7 +973,6 @@
|
|||
* MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
||||
|
||||
|
|
@ -1022,7 +995,6 @@
|
|||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
|
||||
|
|
@ -1035,7 +1007,6 @@
|
|||
*
|
||||
* This enables the following ciphersuites (if other requisites are
|
||||
* enabled as well):
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
|
||||
|
|
@ -1058,7 +1029,6 @@
|
|||
*
|
||||
* This enables the following ciphersuites (if other requisites are
|
||||
* enabled as well):
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
|
||||
|
|
@ -2370,7 +2340,7 @@
|
|||
* \note When #MBEDTLS_CMAC_ALT is active, meaning that the underlying
|
||||
* implementation of the CMAC algorithm is provided by an alternate
|
||||
* implementation, that alternate implementation may opt to not support
|
||||
* AES-192 or 3DES as underlying block ciphers for the CMAC operation.
|
||||
* AES-192 as underlying block ciphers for the CMAC operation.
|
||||
*
|
||||
* Module: library/cmac.c
|
||||
*
|
||||
|
|
@ -2422,19 +2392,6 @@
|
|||
* Caller: library/pem.c
|
||||
* library/cipher.c
|
||||
*
|
||||
* This module enables the following ciphersuites (if other requisites are
|
||||
* enabled as well):
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
*
|
||||
* PEM_PARSE uses DES/3DES for decrypting encrypted keys.
|
||||
*
|
||||
* \warning DES is considered a weak cipher and its use constitutes a
|
||||
|
|
|
|||
|
|
@ -42,10 +42,6 @@ extern "C" {
|
|||
#define MBEDTLS_TLS_RSA_WITH_NULL_MD5 0x01 /**< Weak! */
|
||||
#define MBEDTLS_TLS_RSA_WITH_NULL_SHA 0x02 /**< Weak! */
|
||||
|
||||
#define MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x0A
|
||||
|
||||
#define MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x16
|
||||
|
||||
#define MBEDTLS_TLS_PSK_WITH_NULL_SHA 0x2C /**< Weak! */
|
||||
#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA 0x2D /**< Weak! */
|
||||
#define MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA 0x2E /**< Weak! */
|
||||
|
|
@ -68,15 +64,12 @@ extern "C" {
|
|||
#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x84
|
||||
#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x88
|
||||
|
||||
#define MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA 0x8B
|
||||
#define MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA 0x8C
|
||||
#define MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA 0x8D
|
||||
|
||||
#define MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 0x8F
|
||||
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 0x90
|
||||
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 0x91
|
||||
|
||||
#define MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 0x93
|
||||
#define MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA 0x94
|
||||
#define MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA 0x95
|
||||
|
||||
|
|
@ -114,22 +107,18 @@ extern "C" {
|
|||
#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC4 /**< TLS 1.2 */
|
||||
|
||||
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA 0xC001 /**< Weak! */
|
||||
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC003
|
||||
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xC004
|
||||
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xC005
|
||||
|
||||
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xC006 /**< Weak! */
|
||||
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC008
|
||||
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009
|
||||
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00A
|
||||
|
||||
#define MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA 0xC00B /**< Weak! */
|
||||
#define MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 0xC00D
|
||||
#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xC00E
|
||||
#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xC00F
|
||||
|
||||
#define MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA 0xC010 /**< Weak! */
|
||||
#define MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC012
|
||||
#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013
|
||||
#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014
|
||||
|
||||
|
|
@ -151,7 +140,6 @@ extern "C" {
|
|||
#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 /**< TLS 1.2 */
|
||||
#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 0xC032 /**< TLS 1.2 */
|
||||
|
||||
#define MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 0xC034
|
||||
#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 0xC035
|
||||
#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 0xC036
|
||||
#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 0xC037
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue