From: Nikos Mavrogiannopoulos Date: Tue, 3 Mar 2015 08:31:16 +0000 (+0100) Subject: DSA signatures and DHE-DSS are disabled by default X-Git-Tag: gnutls_3_4_0~274 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=eb30decc3dbaff325fa627ea4644417197d9307c;p=thirdparty%2Fgnutls.git DSA signatures and DHE-DSS are disabled by default DSA was an algorithm that was never deployed on the Internet and had, until very recently, several limitations such as restriction of its keys to 1024 bits, SHA1-only etc. Given that there are literally 0 internet (HTTPS) certificates using DSA, there is no point to enable it by default and increase our attack surface. --- diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index 37f488bce2..1727dd2a74 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -181,7 +181,6 @@ static const int _kx_priority_performance[] = { #endif #ifdef ENABLE_DHE GNUTLS_KX_DHE_RSA, - GNUTLS_KX_DHE_DSS, #endif 0 }; @@ -194,7 +193,6 @@ static const int _kx_priority_pfs[] = { #endif #ifdef ENABLE_DHE GNUTLS_KX_DHE_RSA, - GNUTLS_KX_DHE_DSS, #endif 0 }; @@ -221,7 +219,6 @@ static const int _kx_priority_secure[] = { */ #ifdef ENABLE_DHE GNUTLS_KX_DHE_RSA, - GNUTLS_KX_DHE_DSS, #endif /* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add! */ @@ -336,7 +333,6 @@ static const int comp_priority[] = { static const int _sign_priority_default[] = { GNUTLS_SIGN_RSA_SHA256, - GNUTLS_SIGN_DSA_SHA256, GNUTLS_SIGN_ECDSA_SHA256, GNUTLS_SIGN_RSA_SHA384, @@ -346,11 +342,9 @@ static const int _sign_priority_default[] = { GNUTLS_SIGN_ECDSA_SHA512, GNUTLS_SIGN_RSA_SHA224, - GNUTLS_SIGN_DSA_SHA224, GNUTLS_SIGN_ECDSA_SHA224, GNUTLS_SIGN_RSA_SHA1, - GNUTLS_SIGN_DSA_SHA1, GNUTLS_SIGN_ECDSA_SHA1, 0 }; @@ -371,7 +365,6 @@ static const int* sign_priority_suiteb192 = _sign_priority_suiteb192; static const int _sign_priority_secure128[] = { GNUTLS_SIGN_RSA_SHA256, - GNUTLS_SIGN_DSA_SHA256, GNUTLS_SIGN_ECDSA_SHA256, GNUTLS_SIGN_RSA_SHA384, GNUTLS_SIGN_ECDSA_SHA384,