mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-07-29 11:41:15 +03:00
Merge pull request #4587 from TRodziewicz/remove_3DES_ciphersuites
Remove 3DES ciphersuites
This commit is contained in:
Manuel Pégourié-Gonnard
GitHub
@ -682,26 +682,6 @@
|
||||
*/
|
||||
//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_REMOVE_3DES_CIPHERSUITES
|
||||
*
|
||||
* Remove 3DES ciphersuites by default in SSL / TLS.
|
||||
* This flag removes the ciphersuites based on 3DES from the default list as
|
||||
* returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible
|
||||
* to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
|
||||
* them explicitly.
|
||||
*
|
||||
* A man-in-the-browser attacker can recover authentication tokens sent through
|
||||
* a TLS connection using a 3DES based cipher suite (see "On the Practical
|
||||
* (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
|
||||
* Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
|
||||
* in your threat model or you are unsure, then you should keep this option
|
||||
* enabled to remove 3DES based cipher suites.
|
||||
*
|
||||
* Comment this macro to keep 3DES in the default ciphersuite list.
|
||||
*/
|
||||
#define MBEDTLS_REMOVE_3DES_CIPHERSUITES
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
||||
*
|
||||
@ -843,7 +823,6 @@
|
||||
* MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
|
||||
|
||||
@ -866,7 +845,6 @@
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
*
|
||||
* \warning Using DHE constitutes a security risk as it
|
||||
* is not possible to validate custom DH parameters.
|
||||
@ -892,7 +870,6 @@
|
||||
* MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
|
||||
|
||||
@ -916,7 +893,6 @@
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
||||
|
||||
@ -942,7 +918,6 @@
|
||||
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||
* MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
|
||||
@ -968,7 +943,6 @@
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
*
|
||||
* \warning Using DHE constitutes a security risk as it
|
||||
* is not possible to validate custom DH parameters.
|
||||
@ -999,7 +973,6 @@
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
||||
|
||||
@ -1022,7 +995,6 @@
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
|
||||
@ -1035,7 +1007,6 @@
|
||||
*
|
||||
* This enables the following ciphersuites (if other requisites are
|
||||
* enabled as well):
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
|
||||
@ -1058,7 +1029,6 @@
|
||||
*
|
||||
* This enables the following ciphersuites (if other requisites are
|
||||
* enabled as well):
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
|
||||
@ -2422,19 +2392,6 @@
|
||||
* Caller: library/pem.c
|
||||
* library/cipher.c
|
||||
*
|
||||
* This module enables the following ciphersuites (if other requisites are
|
||||
* enabled as well):
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
*
|
||||
* PEM_PARSE uses DES/3DES for decrypting encrypted keys.
|
||||
*
|
||||
* \warning DES is considered a weak cipher and its use constitutes a
|
||||
|
||||
@ -42,10 +42,6 @@ extern "C" {
|
||||
#define MBEDTLS_TLS_RSA_WITH_NULL_MD5 0x01 /**< Weak! */
|
||||
#define MBEDTLS_TLS_RSA_WITH_NULL_SHA 0x02 /**< Weak! */
|
||||
|
||||
#define MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x0A
|
||||
|
||||
#define MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x16
|
||||
|
||||
#define MBEDTLS_TLS_PSK_WITH_NULL_SHA 0x2C /**< Weak! */
|
||||
#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA 0x2D /**< Weak! */
|
||||
#define MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA 0x2E /**< Weak! */
|
||||
@ -68,15 +64,12 @@ extern "C" {
|
||||
#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x84
|
||||
#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x88
|
||||
|
||||
#define MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA 0x8B
|
||||
#define MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA 0x8C
|
||||
#define MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA 0x8D
|
||||
|
||||
#define MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 0x8F
|
||||
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 0x90
|
||||
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 0x91
|
||||
|
||||
#define MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 0x93
|
||||
#define MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA 0x94
|
||||
#define MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA 0x95
|
||||
|
||||
@ -114,22 +107,18 @@ extern "C" {
|
||||
#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC4 /**< TLS 1.2 */
|
||||
|
||||
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA 0xC001 /**< Weak! */
|
||||
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC003
|
||||
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xC004
|
||||
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xC005
|
||||
|
||||
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xC006 /**< Weak! */
|
||||
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC008
|
||||
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009
|
||||
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00A
|
||||
|
||||
#define MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA 0xC00B /**< Weak! */
|
||||
#define MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 0xC00D
|
||||
#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xC00E
|
||||
#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xC00F
|
||||
|
||||
#define MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA 0xC010 /**< Weak! */
|
||||
#define MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC012
|
||||
#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013
|
||||
#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014
|
||||
|
||||
@ -151,7 +140,6 @@ extern "C" {
|
||||
#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 /**< TLS 1.2 */
|
||||
#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 0xC032 /**< TLS 1.2 */
|
||||
|
||||
#define MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 0xC034
|
||||
#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 0xC035
|
||||
#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 0xC036
|
||||
#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 0xC037
|
||||
|
||||
Reference in New Issue
Block a user