curl-library
[PATCH 1/3] nss: do not enable AES cipher-suites by default
From: Kamil Dudka <kdudka_at_redhat.com>
Date: Mon, 10 Mar 2014 13:44:17 +0100
Date: Mon, 10 Mar 2014 13:44:17 +0100
... but allow them to be enabled/disabled explicitly. The default
policy should be maintained at the NSS level.
--- lib/vtls/nss.c | 27 ++++----------------------- 1 files changed, 4 insertions(+), 23 deletions(-) diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 8e8a41e..e22b098 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -123,6 +123,10 @@ static const cipher_s cipherlist[] = { {"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA}, {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA}, /* AES ciphers. */ + {"dhe_dss_aes_128_cbc_sha", TLS_DHE_DSS_WITH_AES_128_CBC_SHA}, + {"dhe_dss_aes_256_cbc_sha", TLS_DHE_DSS_WITH_AES_256_CBC_SHA}, + {"dhe_rsa_aes_128_cbc_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA}, + {"dhe_rsa_aes_256_cbc_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA}, {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA}, {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA}, /* ECC ciphers. */ @@ -153,18 +157,6 @@ static const cipher_s cipherlist[] = { {"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA}, }; -/* following ciphers are new in NSS 3.4 and not enabled by default, therefore - they are enabled explicitly */ -static const int enable_ciphers_by_default[] = { - TLS_DHE_DSS_WITH_AES_128_CBC_SHA, - TLS_DHE_DSS_WITH_AES_256_CBC_SHA, - TLS_DHE_RSA_WITH_AES_128_CBC_SHA, - TLS_DHE_RSA_WITH_AES_256_CBC_SHA, - TLS_RSA_WITH_AES_128_CBC_SHA, - TLS_RSA_WITH_AES_256_CBC_SHA, - SSL_NULL_WITH_NULL_NULL -}; - static const char* pem_library = "libnsspem.so"; SECMODModule* mod = NULL; @@ -1294,7 +1286,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; CURLcode curlerr; - const int *cipher_to_enable; PRSocketOptionData sock_opt; long time_left; PRUint32 timeout; @@ -1396,16 +1387,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) /* reset the flag to avoid an infinite loop */ data->state.ssl_connect_retry = FALSE; - /* enable all ciphers from enable_ciphers_by_default */ - cipher_to_enable = enable_ciphers_by_default; - while(SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) { - if(SSL_CipherPrefSet(model, *cipher_to_enable, PR_TRUE) != SECSuccess) { - curlerr = CURLE_SSL_CIPHER; - goto error; - } - cipher_to_enable++; - } - if(data->set.ssl.cipher_list) { if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) { curlerr = CURLE_SSL_CIPHER; -- 1.7.1 ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2014-03-10