From: slontis Date: Wed, 22 Sep 2021 05:53:54 +0000 (+1000) Subject: Change TLS RC4 cipher strength check to be data driven. X-Git-Tag: openssl-3.2.0-alpha1~3541 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c3b5fa4ab7d19e35311a21fec3ebc0a333c352b6;p=thirdparty%2Fopenssl.git Change TLS RC4 cipher strength check to be data driven. This is a same pattern as used in PR #16652 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16656) --- diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 348d02d8bda..ef027d79e07 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -2807,7 +2807,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2823,7 +2823,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2839,7 +2839,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2855,7 +2855,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2871,7 +2871,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2887,7 +2887,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2903,7 +2903,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2919,7 +2919,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2935,7 +2935,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2951,7 +2951,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, #endif /* OPENSSL_NO_WEAK_SSL_CIPHERS */ diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 547e9b9ccdd..a9e71046b37 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -1021,9 +1021,6 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, /* SHA1 HMAC is 160 bits of security */ if (minbits > 160 && c->algorithm_mac & SSL_SHA1) return 0; - /* Level 2: no RC4 */ - if (level >= 2 && c->algorithm_enc == SSL_RC4) - return 0; /* Level 3: forward secure ciphersuites only */ if (level >= 3 && c->min_tls != TLS1_3_VERSION && !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))