From: Nick Zitzmann <nickzman@gmail.com>
Date: Sun, 18 Sep 2016 20:01:03 +0000 (-0500)
Subject: darwinssl: disable RC4 cipher-suite support
X-Git-Tag: curl-7_51_0~150
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=227ee9d84d390f37c28dfe43ceda308c6083b1f6;p=thirdparty%2Fcurl.git

darwinssl: disable RC4 cipher-suite support

RC4 was a nice alternative to CBC back in the days of BEAST, but it's insecure and obsolete now.
---

diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c
index 90119dd50d..9af379112a 100644
--- a/lib/vtls/darwinssl.c
+++ b/lib/vtls/darwinssl.c
@@ -1438,6 +1438,16 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
         /* Disable IDEA: */
         case SSL_RSA_WITH_IDEA_CBC_SHA:
         case SSL_RSA_WITH_IDEA_CBC_MD5:
+        /* Disable RC4: */
+        case SSL_RSA_WITH_RC4_128_MD5:
+        case SSL_RSA_WITH_RC4_128_SHA:
+        case 0xC002: /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
+        case 0xC007: /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA*/
+        case 0xC00C: /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
+        case 0xC011: /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
+        case 0x008A: /* TLS_PSK_WITH_RC4_128_SHA */
+        case 0x008E: /* TLS_DHE_PSK_WITH_RC4_128_SHA */
+        case 0x0092: /* TLS_RSA_PSK_WITH_RC4_128_SHA */
           break;
         default: /* enable everything else */
           allowed_ciphers[allowed_ciphers_count++] = all_ciphers[i];