|
|
d198f9 |
This patch updates MozNSS cipher suite definition in OpenLDAP.
|
|
|
767ab2 |
|
|
|
d198f9 |
Author: Matus Honek <mhonek@redhat.com>
|
|
|
d198f9 |
Related: #1245279
|
|
|
767ab2 |
|
|
|
d198f9 |
Combined two previous patches into one:
|
|
|
d198f9 |
Author: Martin Poole <mpoole@redhat.com>
|
|
|
767ab2 |
Author: Jan Vcelak <jvcelak@redhat.com>
|
|
|
d198f9 |
Related: #1231522 #1160467
|
|
|
767ab2 |
Upstream ITS: #7374
|
|
|
767ab2 |
|
|
|
767ab2 |
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
|
|
767ab2 |
--- a/libraries/libldap/tls_m.c
|
|
|
767ab2 |
+++ b/libraries/libldap/tls_m.c
|
|
|
d198f9 |
@@ -76,6 +76,11 @@
|
|
|
d198f9 |
#define HAVE_SECMOD_RESTARTMODULES 1
|
|
|
d198f9 |
#endif
|
|
|
d198f9 |
|
|
|
d198f9 |
+/* NSS 3.20.0 and later have SHA384 ciphers */
|
|
|
d198f9 |
+#if NSS_VERSION_INT >= 0x03140000
|
|
|
d198f9 |
+#define HAVE_SHA384_CIPHERS 1
|
|
|
d198f9 |
+#endif
|
|
|
d198f9 |
+
|
|
|
d198f9 |
/* InitContext does not currently work in server mode */
|
|
|
d198f9 |
/* #define INITCONTEXT_HACK 1 */
|
|
|
d198f9 |
|
|
|
d198f9 |
@@ -203,27 +208,36 @@ typedef struct {
|
|
|
767ab2 |
int num; /* The cipher id */
|
|
|
767ab2 |
int attr; /* cipher attributes: algorithms, etc */
|
|
|
767ab2 |
int version; /* protocol version valid for this cipher */
|
|
|
767ab2 |
- int bits; /* bits of strength */
|
|
|
767ab2 |
- int alg_bits; /* bits of the algorithm */
|
|
|
767ab2 |
int strength; /* LOW, MEDIUM, HIGH */
|
|
|
767ab2 |
int enabled; /* Enabled by default? */
|
|
|
767ab2 |
} cipher_properties;
|
|
|
767ab2 |
|
|
|
767ab2 |
/* cipher attributes */
|
|
|
767ab2 |
-#define SSL_kRSA 0x00000001L
|
|
|
767ab2 |
-#define SSL_aRSA 0x00000002L
|
|
|
767ab2 |
-#define SSL_aDSS 0x00000004L
|
|
|
767ab2 |
-#define SSL_DSS SSL_aDSS
|
|
|
767ab2 |
-#define SSL_eNULL 0x00000008L
|
|
|
767ab2 |
-#define SSL_DES 0x00000010L
|
|
|
767ab2 |
-#define SSL_3DES 0x00000020L
|
|
|
767ab2 |
-#define SSL_RC4 0x00000040L
|
|
|
767ab2 |
-#define SSL_RC2 0x00000080L
|
|
|
767ab2 |
-#define SSL_AES 0x00000100L
|
|
|
767ab2 |
-#define SSL_MD5 0x00000200L
|
|
|
767ab2 |
-#define SSL_SHA1 0x00000400L
|
|
|
767ab2 |
-#define SSL_SHA SSL_SHA1
|
|
|
767ab2 |
-#define SSL_RSA (SSL_kRSA|SSL_aRSA)
|
|
|
767ab2 |
+#define SSL_kRSA 0x00000001L
|
|
|
767ab2 |
+#define SSL_aRSA 0x00000002L
|
|
|
767ab2 |
+#define SSL_RSA (SSL_kRSA|SSL_aRSA)
|
|
|
767ab2 |
+#define SSL_aDSA 0x00000004L
|
|
|
767ab2 |
+#define SSL_DSA SSL_aDSA
|
|
|
767ab2 |
+#define SSL_eNULL 0x00000008L
|
|
|
767ab2 |
+#define SSL_DES 0x00000010L
|
|
|
767ab2 |
+#define SSL_3DES 0x00000020L
|
|
|
767ab2 |
+#define SSL_RC4 0x00000040L
|
|
|
767ab2 |
+#define SSL_RC2 0x00000080L
|
|
|
767ab2 |
+#define SSL_AES128 0x00000100L
|
|
|
767ab2 |
+#define SSL_AES256 0x00000200L
|
|
|
767ab2 |
+#define SSL_AES (SSL_AES128|SSL_AES256)
|
|
|
767ab2 |
+#define SSL_MD5 0x00000400L
|
|
|
767ab2 |
+#define SSL_SHA1 0x00000800L
|
|
|
767ab2 |
+#define SSL_kEDH 0x00001000L
|
|
|
767ab2 |
+#define SSL_CAMELLIA128 0x00002000L
|
|
|
767ab2 |
+#define SSL_CAMELLIA256 0x00004000L
|
|
|
767ab2 |
+#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
|
|
|
767ab2 |
+#define SSL_SEED 0x00008000L
|
|
|
767ab2 |
+#define SSL_kECDH 0x00010000L
|
|
|
767ab2 |
+#define SSL_kECDHE 0x00020000L
|
|
|
767ab2 |
+#define SSL_aECDSA 0x00040000L
|
|
|
d198f9 |
+#define SSL_SHA256 0x00080000L
|
|
|
d198f9 |
+#define SSL_SHA384 0x00100000L
|
|
|
767ab2 |
|
|
|
767ab2 |
/* cipher strength */
|
|
|
767ab2 |
#define SSL_NULL 0x00000001L
|
|
|
a3e6a8 |
@@ -237,32 +251,120 @@ typedef struct {
|
|
|
d198f9 |
#define SSL3 0x00000002L
|
|
|
d198f9 |
/* OpenSSL treats SSL3 and TLSv1 the same */
|
|
|
d198f9 |
#define TLS1 SSL3
|
|
|
d198f9 |
+#define TLS1_2 0x00000004L
|
|
|
767ab2 |
|
|
|
767ab2 |
/* Cipher translation */
|
|
|
767ab2 |
static cipher_properties ciphers_def[] = {
|
|
|
767ab2 |
- /* SSL 2 ciphers */
|
|
|
767ab2 |
- {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, 168, 168, SSL_HIGH, SSL_ALLOWED},
|
|
|
767ab2 |
- {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
|
|
767ab2 |
- {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
|
|
767ab2 |
- {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, 56, 56, SSL_LOW, SSL_ALLOWED},
|
|
|
767ab2 |
- {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
|
|
|
767ab2 |
- {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
|
|
|
767ab2 |
-
|
|
|
767ab2 |
- /* SSL3 ciphers */
|
|
|
767ab2 |
- {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
|
|
767ab2 |
- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
|
|
|
767ab2 |
- {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED},
|
|
|
767ab2 |
- {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED},
|
|
|
767ab2 |
- {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
|
|
|
767ab2 |
- {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, 0, 0, SSL_EXPORT40, SSL_ALLOWED},
|
|
|
767ab2 |
- {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
|
|
|
767ab2 |
- {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
|
|
|
767ab2 |
+
|
|
|
767ab2 |
+ /*
|
|
|
767ab2 |
+ * Use the same DEFAULT cipher list as OpenSSL, which is defined as: ALL:!aNULL:!eNULL:!SSLv2
|
|
|
767ab2 |
+ */
|
|
|
767ab2 |
+
|
|
|
767ab2 |
+ /* SSLv2 ciphers */
|
|
|
d198f9 |
+ {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW},
|
|
|
d198f9 |
+ {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH},
|
|
|
d198f9 |
+ {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM},
|
|
|
d198f9 |
+ {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM},
|
|
|
d198f9 |
+ {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40},
|
|
|
d198f9 |
+ {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40},
|
|
|
767ab2 |
+
|
|
|
767ab2 |
+ /* SSLv3 ciphers */
|
|
|
d198f9 |
+ {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL},
|
|
|
d198f9 |
+ {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL},
|
|
|
d198f9 |
+ {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW},
|
|
|
d198f9 |
+ {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH},
|
|
|
d198f9 |
+ {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_MEDIUM},
|
|
|
d198f9 |
+ {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, SSL_MEDIUM},
|
|
|
d198f9 |
+ {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, SSL_EXPORT40},
|
|
|
d198f9 |
+ {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_EXPORT40},
|
|
|
d198f9 |
+ {"EDH-RSA-DES-CBC-SHA", SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW},
|
|
|
d198f9 |
+ {"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH},
|
|
|
d198f9 |
+ {"EDH-DSS-DES-CBC-SHA", SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW},
|
|
|
d198f9 |
+ {"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH},
|
|
|
767ab2 |
|
|
|
767ab2 |
/* TLSv1 ciphers */
|
|
|
767ab2 |
- {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
|
|
|
767ab2 |
- {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
|
|
|
767ab2 |
- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED},
|
|
|
767ab2 |
- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED},
|
|
|
d198f9 |
+ {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56},
|
|
|
d198f9 |
+ {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56},
|
|
|
d198f9 |
+ {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM},
|
|
|
d198f9 |
+ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"CAMELLIA256-SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"CAMELLIA128-SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"DHE-RSA-CAMELLIA128-SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"DHE-RSA-CAMELLIA256-SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"DHE-DSS-RC4-SHA", TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
|
|
|
d198f9 |
+ {"DHE-DSS-AES128-SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"DHE-DSS-AES256-SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"DHE-DSS-CAMELLIA128-SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"DHE-DSS-CAMELLIA256-SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"ECDH-RSA-NULL-SHA", TLS_ECDH_RSA_WITH_NULL_SHA, SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
|
|
|
d198f9 |
+ {"ECDH-RSA-RC4-SHA", TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
|
|
|
d198f9 |
+ {"ECDH-RSA-DES-CBC3-SHA", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"ECDH-RSA-AES128-SHA", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"ECDH-RSA-AES256-SHA", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"ECDH-ECDSA-NULL-SHA", TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
|
|
|
d198f9 |
+ {"ECDH-ECDSA-RC4-SHA", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
|
|
|
d198f9 |
+ {"ECDH-ECDSA-DES-CBC3-SHA", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"ECDH-ECDSA-AES128-SHA", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"ECDH-ECDSA-AES256-SHA", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"ECDHE-RSA-NULL-SHA", TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
|
|
|
d198f9 |
+ {"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
|
|
|
d198f9 |
+ {"ECDHE-RSA-DES-CBC3-SHA", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"ECDHE-ECDSA-NULL-SHA", TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
|
|
|
d198f9 |
+ {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
|
|
|
d198f9 |
+ {"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+ {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
|
|
|
d198f9 |
+
|
|
|
d198f9 |
+/* conditional on one of the newer defs */
|
|
|
d198f9 |
+#ifdef TLS_RSA_WITH_AES_128_GCM_SHA256
|
|
|
d198f9 |
+ /* TLSv1.2 ciphers */
|
|
|
d198f9 |
+ /* The following ciphers appear in the openssl sources as TLSv1.2 but currently have no NSS equivalent
|
|
|
d198f9 |
+
|
|
|
d198f9 |
+ DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
|
|
|
d198f9 |
+ ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
|
|
|
d198f9 |
+ ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
|
|
|
d198f9 |
+ ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
|
|
|
d198f9 |
+ ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
|
|
|
d198f9 |
+ ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
|
|
|
d198f9 |
+ ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
|
|
|
d198f9 |
+ ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
|
|
|
d198f9 |
+ ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
|
|
|
d198f9 |
+
|
|
|
d198f9 |
+ */
|
|
|
d198f9 |
+ {"NULL-SHA256", TLS_RSA_WITH_NULL_SHA256, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA256, TLS1_2, SSL_NULL},
|
|
|
d198f9 |
+ {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
|
|
|
d198f9 |
+ {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH},
|
|
|
d198f9 |
+ {"AES128-GCM-SHA256", TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
|
d198f9 |
+ {"AES256-GCM-SHA384", TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
|
d198f9 |
+
|
|
|
d198f9 |
+ {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH},
|
|
|
d198f9 |
+ {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
|
|
|
d198f9 |
+ {"DHE-RSA-AES128-GCM-SHA256", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
|
d198f9 |
+ {"DHE-RSA-AES256-GCM-SHA384", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
|
d198f9 |
+
|
|
|
d198f9 |
+ {"DHE-DSS-AES128-SHA256", TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
|
|
|
d198f9 |
+ {"DHE-DSS-AES256-SHA256", TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH},
|
|
|
d198f9 |
+ {"DHE-DSS-AES128-GCM-SHA256", TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
|
95f81a |
+ {"DHE-DSS-AES256-GCM-SHA384", TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
|
d198f9 |
+
|
|
|
d198f9 |
+ {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
|
|
|
d198f9 |
+ {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
|
|
|
d198f9 |
+ {"ECDHE-ECDSA-AES128-GCM-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
|
d198f9 |
+ {"ECDHE-RSA-AES128-GCM-SHA256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
|
d198f9 |
+ {"ECDHE-ECDSA-AES256-GCM-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
|
d198f9 |
+ {"ECDHE-RSA-AES256-GCM-SHA384", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
|
d198f9 |
+ {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA384, TLS1_2, SSL_HIGH},
|
|
|
d198f9 |
+ {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA384, TLS1_2, SSL_HIGH},
|
|
|
d198f9 |
+#endif
|
|
|
d198f9 |
+
|
|
|
a3e6a8 |
+ {"ECDHE-RSA-CHACHA20-POLY1305", 0xcca8 /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
|
a3e6a8 |
+ {"ECDHE-ECDSA-CHACHA20-POLY1305", 0xcca9 /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aECDSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
|
a3e6a8 |
+ {"DHE-RSA-CHACHA20-POLY1305", 0xccaa /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kEDH|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
|
|
|
767ab2 |
};
|
|
|
767ab2 |
|
|
|
767ab2 |
#define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))
|
|
|
d198f9 |
@@ -574,6 +673,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
|
|
767ab2 |
mask |= SSL_RSA;
|
|
|
767ab2 |
} else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) {
|
|
|
767ab2 |
mask |= SSL_eNULL;
|
|
|
767ab2 |
+ } else if (!strcmp(cipher, "AES128")) {
|
|
|
767ab2 |
+ mask |= SSL_AES128;
|
|
|
767ab2 |
+ } else if (!strcmp(cipher, "AES256")) {
|
|
|
767ab2 |
+ mask |= SSL_AES256;
|
|
|
767ab2 |
} else if (!strcmp(cipher, "AES")) {
|
|
|
767ab2 |
mask |= SSL_AES;
|
|
|
767ab2 |
} else if (!strcmp(cipher, "3DES")) {
|
|
|
d198f9 |
@@ -588,12 +691,34 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
|
|
|
767ab2 |
mask |= SSL_MD5;
|
|
|
767ab2 |
} else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
|
|
|
767ab2 |
mask |= SSL_SHA1;
|
|
|
d198f9 |
+ } else if (!strcmp(cipher, "SHA256")) {
|
|
|
d198f9 |
+ mask |= SSL_SHA256;
|
|
|
767ab2 |
+ } else if (!strcmp(cipher, "EDH")) {
|
|
|
767ab2 |
+ mask |= SSL_kEDH;
|
|
|
767ab2 |
+ } else if (!strcmp(cipher, "DSS")) {
|
|
|
767ab2 |
+ mask |= SSL_aDSA;
|
|
|
767ab2 |
+ } else if (!strcmp(cipher, "CAMELLIA128")) {
|
|
|
767ab2 |
+ mask |= SSL_CAMELLIA128;
|
|
|
767ab2 |
+ } else if (!strcmp(cipher, "CAMELLIA256")) {
|
|
|
767ab2 |
+ mask |= SSL_CAMELLIA256;
|
|
|
767ab2 |
+ } else if (!strcmp(cipher, "CAMELLIA")) {
|
|
|
767ab2 |
+ mask |= SSL_CAMELLIA;
|
|
|
767ab2 |
+ } else if (!strcmp(cipher, "SEED")) {
|
|
|
767ab2 |
+ mask |= SSL_SEED;
|
|
|
767ab2 |
+ } else if (!strcmp(cipher, "ECDH")) {
|
|
|
767ab2 |
+ mask |= SSL_kECDH;
|
|
|
767ab2 |
+ } else if (!strcmp(cipher, "ECDHE")) {
|
|
|
767ab2 |
+ mask |= SSL_kECDHE;
|
|
|
767ab2 |
+ } else if (!strcmp(cipher, "ECDSA")) {
|
|
|
767ab2 |
+ mask |= SSL_aECDSA;
|
|
|
767ab2 |
} else if (!strcmp(cipher, "SSLv2")) {
|
|
|
767ab2 |
protocol |= SSL2;
|
|
|
767ab2 |
} else if (!strcmp(cipher, "SSLv3")) {
|
|
|
d198f9 |
protocol |= SSL3;
|
|
|
d198f9 |
} else if (!strcmp(cipher, "TLSv1")) {
|
|
|
d198f9 |
protocol |= TLS1;
|
|
|
d198f9 |
+ } else if (!strcmp(cipher, "TLSv1.2")) {
|
|
|
d198f9 |
+ protocol |= TLS1_2;
|
|
|
d198f9 |
} else if (!strcmp(cipher, "HIGH")) {
|
|
|
d198f9 |
strength |= SSL_HIGH;
|
|
|
d198f9 |
} else if (!strcmp(cipher, "MEDIUM")) {
|