diff options
| author | Anderson Toshiyuki Sasaki <ansasaki@redhat.com> | 2018-06-20 13:00:00 +0200 |
|---|---|---|
| committer | Anderson Toshiyuki Sasaki <ansasaki@redhat.com> | 2018-06-21 17:07:17 +0200 |
| commit | 29ffa2a1fa4cc396c5d1563a3e5cdca0174de28b (patch) | |
| tree | e0007c56ec4afb093f91ade9ce8aa1a6a97cd72f | |
| parent | cc91db2fb8efeb1e5e3c56a5ff86ea8cb3ef8915 (diff) | |
| download | gnutls-29ffa2a1fa4cc396c5d1563a3e5cdca0174de28b.tar.gz | |
hmac-sha384 and sha256 ciphersuites were removed from defaults
These ciphersuites are deprecated since the introduction of AEAD
ciphersuites, and are only necessary for compatibility with older
servers. Since older servers already support hmac-sha1 there is
no reason to keep these ciphersuites enabled by default, as they
increase our attack surface.
Relates #456
| -rw-r--r-- | lib/gnutls_priority.c | 8 | ||||
| -rw-r--r-- | tests/priorities.c | 10 |
2 files changed, 5 insertions, 13 deletions
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index c5998abe67..f3e19105f3 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -491,8 +491,6 @@ static const int sign_priority_secure192[] = { static const int mac_priority_normal_default[] = { GNUTLS_MAC_SHA1, - GNUTLS_MAC_SHA256, - GNUTLS_MAC_SHA384, GNUTLS_MAC_AEAD, GNUTLS_MAC_MD5, 0 @@ -500,8 +498,6 @@ static const int mac_priority_normal_default[] = { static const int mac_priority_normal_fips[] = { GNUTLS_MAC_SHA1, - GNUTLS_MAC_SHA256, - GNUTLS_MAC_SHA384, GNUTLS_MAC_AEAD, 0 }; @@ -530,15 +526,11 @@ static const int mac_priority_suiteb192[] = { static const int mac_priority_secure128[] = { GNUTLS_MAC_SHA1, - GNUTLS_MAC_SHA256, - GNUTLS_MAC_SHA384, GNUTLS_MAC_AEAD, 0 }; static const int mac_priority_secure192[] = { - GNUTLS_MAC_SHA256, - GNUTLS_MAC_SHA384, GNUTLS_MAC_AEAD, 0 }; diff --git a/tests/priorities.c b/tests/priorities.c index f22b08b625..46221fcc02 100644 --- a/tests/priorities.c +++ b/tests/priorities.c @@ -100,18 +100,18 @@ try_prio(const char *prio, unsigned expected_cs, unsigned expected_ciphers) void doit(void) { - const int normal = 61; - const int null = 5; - const int sec128 = 56; + const int normal = 41; + const int null = 4; + const int sec128 = 36; try_prio("NORMAL", normal, 9); try_prio("NORMAL:-MAC-ALL:+MD5:+MAC-ALL", normal, 9); try_prio("NORMAL:+CIPHER-ALL", normal, 9); /* all (except null) */ try_prio("NORMAL:-CIPHER-ALL:+NULL", null, 1); /* null */ try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL", normal + null, 10); /* should be null + all */ - try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 10, 1); /* should be null + all */ + try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 5, 1); try_prio("PERFORMANCE", normal, 9); - try_prio("SECURE256", 20, 4); + try_prio("SECURE256", 10, 4); try_prio("SECURE128", sec128, 8); try_prio("SECURE128:+SECURE256", sec128, 8); /* should be the same as SECURE128 */ try_prio("SECURE128:+SECURE256:+NORMAL", normal, 9); /* should be the same as NORMAL */ |