Reduce priority of 3DES ciphersuites
This commit is contained in:
Andres Amaya Garcia
Manuel Pégourié-Gonnard
parent
2c1d492ccc
commit
5d8aade01d
5 changed files with 58 additions and 22 deletions
|
|
@ -43,11 +43,11 @@
|
|||
/*
|
||||
* Ordered from most preferred to least preferred in terms of security.
|
||||
*
|
||||
* Current rule (except rc4, weak and null which come last):
|
||||
* Current rule (except RC4 and 3DES, weak and null which come last):
|
||||
* 1. By key exchange:
|
||||
* Forward-secure non-PSK > forward-secure PSK > ECJPAKE > other non-PSK > other PSK
|
||||
* 2. By key length and cipher:
|
||||
* ChaCha > AES-256 > Camellia-256 > ARIA-256 > AES-128 > Camellia-128 > ARIA-128 > 3DES
|
||||
* ChaCha > AES-256 > Camellia-256 > ARIA-256 > AES-128 > Camellia-128 > ARIA-128
|
||||
* 3. By cipher mode when relevant GCM > CCM > CBC > CCM_8
|
||||
* 4. By hash function used when relevant
|
||||
* 5. By key exchange/auth again: EC > non-EC
|
||||
|
|
@ -126,11 +126,6 @@ static const int ciphersuite_preference[] =
|
|||
MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
|
||||
MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
|
||||
|
||||
/* All remaining >= 128-bit ephemeral suites */
|
||||
MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
|
||||
/* The PSK ephemeral suites */
|
||||
MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
|
||||
MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
|
||||
|
|
@ -162,9 +157,6 @@ static const int ciphersuite_preference[] =
|
|||
MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
|
||||
MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
|
||||
|
||||
MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
|
||||
|
||||
/* The ECJPAKE suite */
|
||||
MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8,
|
||||
|
||||
|
|
@ -228,11 +220,6 @@ static const int ciphersuite_preference[] =
|
|||
MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
|
||||
MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
|
||||
|
||||
/* All remaining >= 128-bit suites */
|
||||
MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
||||
|
||||
/* The RSA PSK suites */
|
||||
MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,
|
||||
MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
|
||||
|
|
@ -251,8 +238,6 @@ static const int ciphersuite_preference[] =
|
|||
MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
|
||||
MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
|
||||
|
||||
MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
|
||||
|
||||
/* The PSK suites */
|
||||
MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
|
||||
MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384,
|
||||
|
|
@ -275,6 +260,16 @@ static const int ciphersuite_preference[] =
|
|||
MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256,
|
||||
MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256,
|
||||
|
||||
/* 3DES suites */
|
||||
MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
|
||||
|
||||
/* RC4 suites */
|
||||
|
|
@ -2187,6 +2182,26 @@ const int *mbedtls_ssl_list_ciphersuites( void )
|
|||
static int supported_ciphersuites[MAX_CIPHERSUITES];
|
||||
static int supported_init = 0;
|
||||
|
||||
static int ciphersuite_is_removed( const mbedtls_ssl_ciphersuite_t *cs_info )
|
||||
{
|
||||
(void)cs_info;
|
||||
|
||||
#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
|
||||
if( cs_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
|
||||
return( 1 );
|
||||
#endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */
|
||||
|
||||
#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
|
||||
if( cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_ECB ||
|
||||
cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_CBC )
|
||||
{
|
||||
return( 1 );
|
||||
}
|
||||
#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
const int *mbedtls_ssl_list_ciphersuites( void )
|
||||
{
|
||||
/*
|
||||
|
|
@ -2202,14 +2217,12 @@ const int *mbedtls_ssl_list_ciphersuites( void )
|
|||
*p != 0 && q < supported_ciphersuites + MAX_CIPHERSUITES - 1;
|
||||
p++ )
|
||||
{
|
||||
#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
|
||||
const mbedtls_ssl_ciphersuite_t *cs_info;
|
||||
if( ( cs_info = mbedtls_ssl_ciphersuite_from_id( *p ) ) != NULL &&
|
||||
cs_info->cipher != MBEDTLS_CIPHER_ARC4_128 )
|
||||
#else
|
||||
if( mbedtls_ssl_ciphersuite_from_id( *p ) != NULL )
|
||||
#endif
|
||||
!ciphersuite_is_removed( cs_info ) )
|
||||
{
|
||||
*(q++) = *p;
|
||||
}
|
||||
}
|
||||
*q = 0;
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue