Tidy up cipher ordering.

To align with what Chrome sends on NSS, remove all 3DES cipher suites except RSA_WITH_3DES_EDE_CBC_SHA. This avoids having to order a PFS 3DES cipher against a non-PFS 3DES cipher. Remove the strength sort which wanted place AES_256_CBC ahead of AES_128_GCM and is not especially useful (everything under 128 is either 3DES or DES). Instead, explicitly order all the bulk ciphers. Continue to prefer PFS over non-PFS and ECDHE over DHE. This gives the following order in Chromium. We can probably prune it a bit (DHE_DSS, DH_*) in a follow-up. TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14) Forward Secrecy 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13) Forward Secrecy 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15) Forward Secrecy 256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Forward Secrecy 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Forward Secrecy 128 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0xa2) Forward Secrecy* 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) Forward Secrecy 128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Forward Secrecy 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Forward Secrecy 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) Forward Secrecy 256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38) Forward Secrecy* 256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Forward Secrecy 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Forward Secrecy 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) Forward Secrecy 128 TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32) Forward Secrecy* 128 TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Forward Secrecy 128 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Forward Secrecy 128 TLS_DH_DSS_WITH_AES_128_GCM_SHA256 (0xa4) 128 TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (0xa0) 128 TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128 TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x37) 256 TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x36) 256 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x31) 128 TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x30) 128 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_RSA_WITH_RC4_128_SHA (0x5) 128 TLS_RSA_WITH_RC4_128_MD5 (0x4) 128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112 BUG=405091 Change-Id: Ib8dd28469414a4eb496788a57a215e7e21f8c37f Reviewed-on: https://boringssl-review.googlesource.com/1559 Reviewed-by: Adam Langley <agl@google.com>
author: David Benjamin <davidben@chromium.org> 2014-08-19 22:12:39 +0400
committer: Adam Langley <agl@google.com> 2014-08-19 23:00:32 +0400
commit: ede973a89a5bf8784855d2bea9c8ae4a5e3e32ee (patch)
tree: 07677c04d3622c68944003f23db431091a4e3225 /ssl/s3_lib.c
parent: 6bc658d2e33548ff1a6fc10f0f4bdc1e24fe89cd (diff)
1 files changed, 0 insertions, 176 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 9a29bf8a..1cf01508 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -250,22 +250,6 @@ const SSL_CIPHER ssl3_ciphers[]={
 	56,
 	},
 
-/* Cipher 0D */
-	{
-	1,
-	SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
-	SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
-	SSL_kDHd,
-	SSL_aDH,
-	SSL_3DES,
-	SSL_SHA1,
-	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	112,
-	168,
-	},
-
 /* Cipher 0F */
 	{
 	1,
@@ -282,22 +266,6 @@ const SSL_CIPHER ssl3_ciphers[]={
 	56,
 	},
 
-/* Cipher 10 */
-	{
-	1,
-	SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
-	SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
-	SSL_kDHr,
-	SSL_aDH,
-	SSL_3DES,
-	SSL_SHA1,
-	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	112,
-	168,
-	},
-
 /* The Ephemeral DH ciphers */
 
 /* Cipher 12 */
@@ -316,22 +284,6 @@ const SSL_CIPHER ssl3_ciphers[]={
 	56,
 	},
 
-/* Cipher 13 */
-	{
-	1,
-	SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
-	SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
-	SSL_kEDH,
-	SSL_aDSS,
-	SSL_3DES,
-	SSL_SHA1,
-	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	112,
-	168,
-	},
-
 /* Cipher 15 */
 	{
 	1,
@@ -348,22 +300,6 @@ const SSL_CIPHER ssl3_ciphers[]={
 	56,
 	},
 
-/* Cipher 16 */
-	{
-	1,
-	SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
-	SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
-	SSL_kEDH,
-	SSL_aRSA,
-	SSL_3DES,
-	SSL_SHA1,
-	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	112,
-	168,
-	},
-
 /* Cipher 18 */
 	{
 	1,
@@ -396,22 +332,6 @@ const SSL_CIPHER ssl3_ciphers[]={
 	56,
 	},
 
-/* Cipher 1B */
-	{
-	1,
-	SSL3_TXT_ADH_DES_192_CBC_SHA,
-	SSL3_CK_ADH_DES_192_CBC_SHA,
-	SSL_kEDH,
-	SSL_aNULL,
-	SSL_3DES,
-	SSL_SHA1,
-	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	112,
-	168,
-	},
-
 /* New AES ciphersuites */
 /* Cipher 2F */
 	{
@@ -829,22 +749,6 @@ const SSL_CIPHER ssl3_ciphers[]={
 	128,
 	},
 
-	/* Cipher 8B */
-	{
-	1,
-	TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA,
-	TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA,
-	SSL_kPSK,
-	SSL_aPSK,
-	SSL_3DES,
-	SSL_SHA1,
-	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	112,
-	168,
-	},
-
 	/* Cipher 8C */
 	{
 	1,
@@ -1094,22 +998,6 @@ const SSL_CIPHER ssl3_ciphers[]={
 	128,
 	},
 
-	/* Cipher C003 */
-	{
-	1,
-	TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
-	TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
-	SSL_kECDHe,
-	SSL_aECDH,
-	SSL_3DES,
-	SSL_SHA1,
-	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	112,
-	168,
-	},
-
 	/* Cipher C004 */
 	{
 	1,
@@ -1158,22 +1046,6 @@ const SSL_CIPHER ssl3_ciphers[]={
 	128,
 	},
 
-	/* Cipher C008 */
-	{
-	1,
-	TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
-	TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
-	SSL_kEECDH,
-	SSL_aECDSA,
-	SSL_3DES,
-	SSL_SHA1,
-	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	112,
-	168,
-	},
-
 	/* Cipher C009 */
 	{
 	1,
@@ -1222,22 +1094,6 @@ const SSL_CIPHER ssl3_ciphers[]={
 	128,
 	},
 
-	/* Cipher C00D */
-	{
-	1,
-	TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA,
-	TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA,
-	SSL_kECDHr,
-	SSL_aECDH,
-	SSL_3DES,
-	SSL_SHA1,
-	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	112,
-	168,
-	},
-
 	/* Cipher C00E */
 	{
 	1,
@@ -1286,22 +1142,6 @@ const SSL_CIPHER ssl3_ciphers[]={
 	128,
 	},
 
-	/* Cipher C012 */
-	{
-	1,
-	TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
-	TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
-	SSL_kEECDH,
-	SSL_aRSA,
-	SSL_3DES,
-	SSL_SHA1,
-	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	112,
-	168,
-	},
-
 	/* Cipher C013 */
 	{
 	1,
@@ -1350,22 +1190,6 @@ const SSL_CIPHER ssl3_ciphers[]={
 	128,
 	},
 
-	/* Cipher C017 */
-	{
-	1,
-	TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
-	TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
-	SSL_kEECDH,
-	SSL_aNULL,
-	SSL_3DES,
-	SSL_SHA1,
-	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	112,
-	168,
-	},
-
 	/* Cipher C018 */
 	{
 	1,
author	David Benjamin <davidben@chromium.org>	2014-08-19 22:12:39 +0400
committer	Adam Langley <agl@google.com>	2014-08-19 23:00:32 +0400
commit	ede973a89a5bf8784855d2bea9c8ae4a5e3e32ee (patch)
tree	07677c04d3622c68944003f23db431091a4e3225 /ssl/s3_lib.c
parent	6bc658d2e33548ff1a6fc10f0f4bdc1e24fe89cd (diff)