The branch master has been updated via c3b5fa4ab7d19e35311a21fec3ebc0a333c352b6 (commit) from eeb612021e220de734e1ff08499f42bb962c3916 (commit)
- Log ----------------------------------------------------------------- commit c3b5fa4ab7d19e35311a21fec3ebc0a333c352b6 Author: slontis <shane.lon...@oracle.com> Date: Wed Sep 22 15:53:54 2021 +1000 Change TLS RC4 cipher strength check to be data driven. This is a same pattern as used in PR #16652 Reviewed-by: Paul Dale <pa...@openssl.org> Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16656) ----------------------------------------------------------------------- Summary of changes: ssl/s3_lib.c | 20 ++++++++++---------- ssl/ssl_cert.c | 3 --- 2 files changed, 10 insertions(+), 13 deletions(-) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 348d02d8bd..ef027d79e0 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -2807,7 +2807,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2823,7 +2823,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2839,7 +2839,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2855,7 +2855,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2871,7 +2871,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2887,7 +2887,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2903,7 +2903,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2919,7 +2919,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2935,7 +2935,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2951,7 +2951,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, #endif /* OPENSSL_NO_WEAK_SSL_CIPHERS */ diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 547e9b9ccd..a9e71046b3 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -1021,9 +1021,6 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, /* SHA1 HMAC is 160 bits of security */ if (minbits > 160 && c->algorithm_mac & SSL_SHA1) return 0; - /* Level 2: no RC4 */ - if (level >= 2 && c->algorithm_enc == SSL_RC4) - return 0; /* Level 3: forward secure ciphersuites only */ if (level >= 3 && c->min_tls != TLS1_3_VERSION && !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))