diff options
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | lib/gnutls_priority.c | 16 |
2 files changed, 11 insertions, 8 deletions
@@ -34,6 +34,9 @@ Version 2.12.24 (unreleased) ** libgnutls: Removed support for EXPORT ciphersuites. The EXPORT priority string becomes and alias to NORMAL. +** libgnutls: ARCFOUR-128 was prioritized lower than any other cipher. Was + removed from the algorithms when the SECURE priority string is specified. + ** libgnutls: Do not call the post client hello callback twice when resuming using session tickets. diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index f2131b5747..74c6ea48dc 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -249,7 +249,6 @@ static const int kx_priority_secure[] = { }; static const int cipher_priority_performance[] = { - GNUTLS_CIPHER_ARCFOUR_128, #ifdef ENABLE_CAMELLIA GNUTLS_CIPHER_CAMELLIA_128_CBC, #endif @@ -259,19 +258,20 @@ static const int cipher_priority_performance[] = { #ifdef ENABLE_CAMELLIA GNUTLS_CIPHER_CAMELLIA_256_CBC, #endif - /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */ + GNUTLS_CIPHER_3DES_CBC, + GNUTLS_CIPHER_ARCFOUR_128, 0 }; static const int cipher_priority_normal[] = { - GNUTLS_CIPHER_AES_128_CBC, -#ifdef ENABLE_CAMELLIA - GNUTLS_CIPHER_CAMELLIA_128_CBC, -#endif GNUTLS_CIPHER_AES_256_CBC, #ifdef ENABLE_CAMELLIA GNUTLS_CIPHER_CAMELLIA_256_CBC, #endif + GNUTLS_CIPHER_AES_128_CBC, +#ifdef ENABLE_CAMELLIA + GNUTLS_CIPHER_CAMELLIA_128_CBC, +#endif GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */ @@ -280,11 +280,12 @@ static const int cipher_priority_normal[] = { static const int cipher_priority_secure128[] = { GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_CIPHER_AES_256_CBC, #ifdef ENABLE_CAMELLIA GNUTLS_CIPHER_CAMELLIA_128_CBC, + GNUTLS_CIPHER_CAMELLIA_256_CBC, #endif GNUTLS_CIPHER_3DES_CBC, - GNUTLS_CIPHER_ARCFOUR_128, /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */ 0 }; @@ -300,7 +301,6 @@ static const int cipher_priority_secure256[] = { GNUTLS_CIPHER_CAMELLIA_128_CBC, #endif GNUTLS_CIPHER_3DES_CBC, - GNUTLS_CIPHER_ARCFOUR_128, /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */ 0 }; |