There are two groups of four ciphersuites that I think have mismatched key exchange cipherlist labels.
The first four are DH-DSS ciphersuites with which don't seem to be enabled, but as long as they are in the table perhaps they ought to be corrected. This patch changes Kx in those instances from kDHr to kDHd (ciphersuites 3e, 68, a4, a5) The second four are in ECDH-RSA ciphersuites which can be seen in 1.0.1b with openssl ciphers "kECDHe" -v | grep RSA ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384 ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256 This patch changes Kx in those instances from kECDHe to kECDHr. (ciphersuites c029, c02a, c031, c032)
There are two groups of four ciphersuites that I think have mismatched key exchange cipherlist labels.
The first four are DH-DSS ciphersuites with which don't seem to be enabled, but as long as they are in the table perhaps they ought to be corrected.
This patch changes Kx in those instances from kDHr to kDHd (ciphersuites 3e, 68, a4, a5)
The second four are in ECDH-RSA ciphersuites which can be seen in 1.0.1b with
openssl ciphers "kECDHe" -v | grep RSA
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
This patch changes Kx in those instances from kECDHe to kECDHr. (ciphersuites c029, c02a, c031, c032)
openssl-csuitefixdss2.patch
Description: Binary data