diff options
author | Emilia Kasper <emilia@openssl.org> | 2016-03-03 19:50:03 +0100 |
---|---|---|
committer | Emilia Kasper <emilia@openssl.org> | 2016-03-07 16:53:42 +0100 |
commit | a556f342201473b4bf8dbf879b03890a74e412b6 (patch) | |
tree | 76527cf039cfd054c6a2c9f4a0008f4feaa7c403 /ssl | |
parent | Makefile.in: populate [PLIB_]LDFLAG even with $target{} settings. (diff) | |
download | openssl-a556f342201473b4bf8dbf879b03890a74e412b6.tar.xz openssl-a556f342201473b4bf8dbf879b03890a74e412b6.zip |
Rework the default cipherlist.
- Always prefer forward-secure handshakes.
- Consistently order ECDSA above RSA.
- Next, always prefer AEADs to non-AEADs, irrespective of strength.
- Within AEADs, prefer GCM > CHACHA > CCM for a given strength.
- Prefer TLS v1.2 ciphers to legacy ciphers.
- Remove rarely used DSS, IDEA, SEED, CAMELLIA, CCM from the default
list to reduce ClientHello bloat.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/s3_lib.c | 116 | ||||
-rw-r--r-- | ssl/ssl_ciph.c | 63 | ||||
-rw-r--r-- | ssl/ssl_locl.h | 4 |
3 files changed, 118 insertions, 65 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index c9b27eba4b..78aaf7bae8 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -239,7 +239,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_IDEA, SSL_SHA1, SSL_SSLV3, - SSL_MEDIUM, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, @@ -272,7 +272,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_3DES, SSL_SHA1, SSL_SSLV3, - SSL_HIGH | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -401,7 +401,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128, SSL_SHA1, SSL_SSLV3, - SSL_HIGH | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, @@ -463,7 +463,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256, SSL_SHA1, SSL_SSLV3, - SSL_HIGH | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, @@ -560,7 +560,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, @@ -579,7 +579,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA1, SSL_SSLV3, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, @@ -595,7 +595,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA1, SSL_SSLV3, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, @@ -611,7 +611,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA1, SSL_SSLV3, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, @@ -661,7 +661,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, @@ -759,7 +759,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA1, SSL_SSLV3, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, @@ -775,7 +775,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA1, SSL_SSLV3, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, @@ -791,7 +791,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA1, SSL_SSLV3, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, @@ -1028,7 +1028,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_SEED, SSL_SHA1, SSL_SSLV3, - SSL_MEDIUM, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, @@ -1044,7 +1044,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_SEED, SSL_SHA1, SSL_SSLV3, - SSL_MEDIUM, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, @@ -1060,7 +1060,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_SEED, SSL_SHA1, SSL_SSLV3, - SSL_MEDIUM, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, @@ -1160,7 +1160,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128GCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -1176,7 +1176,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256GCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256, @@ -1518,7 +1518,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -1534,7 +1534,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -1550,7 +1550,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -1582,7 +1582,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -1598,7 +1598,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -1614,7 +1614,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -1929,7 +1929,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_3DES, SSL_SHA1, SSL_SSLV3, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1977,7 +1977,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128, SSL_SHA1, SSL_SSLV3, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, @@ -2025,7 +2025,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256, SSL_SHA1, SSL_SSLV3, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, @@ -2323,7 +2323,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128}, @@ -2337,7 +2337,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA384, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256}, @@ -2351,7 +2351,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128}, @@ -2365,7 +2365,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA384, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256}, @@ -2383,7 +2383,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA256, SSL_TLSV1, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128}, @@ -2397,7 +2397,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA384, SSL_TLSV1, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256}, @@ -2411,7 +2411,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA256, SSL_TLSV1, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128}, @@ -2425,7 +2425,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA384, SSL_TLSV1, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256}, @@ -2439,7 +2439,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA256, SSL_TLSV1, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128}, @@ -2453,7 +2453,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA384, SSL_TLSV1, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256}, @@ -2467,7 +2467,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA128, SSL_SHA256, SSL_TLSV1, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128}, @@ -2481,7 +2481,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_CAMELLIA256, SSL_SHA384, SSL_TLSV1, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256}, @@ -2497,7 +2497,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128CCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -2513,7 +2513,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256CCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -2529,7 +2529,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128CCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -2545,7 +2545,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256CCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -2561,7 +2561,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128CCM8, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -2577,7 +2577,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256CCM8, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -2593,7 +2593,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128CCM8, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -2609,7 +2609,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256CCM8, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -2625,7 +2625,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128CCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -2641,7 +2641,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256CCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -2657,7 +2657,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128CCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -2673,7 +2673,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256CCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -2689,7 +2689,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128CCM8, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -2705,7 +2705,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256CCM8, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -2721,7 +2721,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128CCM8, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -2737,7 +2737,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256CCM8, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -2753,7 +2753,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128CCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -2769,7 +2769,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256CCM, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, @@ -2785,7 +2785,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES128CCM8, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, @@ -2801,7 +2801,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_AES256CCM8, SSL_AEAD, SSL_TLSV1_2, - SSL_HIGH, + SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 376b7b62d5..acf5c00dad 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -278,6 +278,11 @@ static int ssl_mac_secret_size[SSL_MD_NUM_IDX] = { #define CIPHER_DEL 3 #define CIPHER_ORD 4 #define CIPHER_SPECIAL 5 +/* + * Bump the ciphers to the top of the list. + * This rule isn't currently supported by the public cipherstring API. + */ +#define CIPHER_BUMP 6 typedef struct cipher_order_st { const SSL_CIPHER *cipher; @@ -896,7 +901,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey, algo_strength, strength_bits); #endif - if (rule == CIPHER_DEL) + if (rule == CIPHER_DEL || rule == CIPHER_BUMP) reverse = 1; /* needed to maintain sorting between * currently deleted ciphers */ @@ -986,6 +991,9 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey, ll_append_head(&head, curr, &tail); curr->active = 0; } + } else if (rule == CIPHER_BUMP) { + if (curr->active) + ll_append_head(&head, curr, &tail); } else if (rule == CIPHER_KILL) { /* reverse == 0 */ if (head == curr) @@ -1420,20 +1428,36 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK disabled_mac, disabled_ssl, co_list, &head, &tail); - /* Now arrange all ciphers by preference: */ + /* Now arrange all ciphers by preference. */ /* * Everything else being equal, prefer ephemeral ECDH over other key - * exchange mechanisms + * exchange mechanisms. + * For consistency, prefer ECDSA over RSA (though this only matters if the + * server has both certificates, and is using the DEFAULT, or a client + * preference). */ + ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD, + -1, &head, &tail); ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); - /* AES is our preferred symmetric cipher */ - ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head, - &tail); + + /* Within each strength group, we prefer GCM over CHACHA... */ + ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1, + &head, &tail); + ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1, + &head, &tail); + + /* + * ...and generally, our preferred cipher is AES. + * Note that AEADs will be bumped to take preference after sorting by + * strength. + */ + ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD, + -1, &head, &tail); /* Temporarily enable everything else for sorting */ ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); @@ -1472,6 +1496,33 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK return NULL; } + /* + * Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs. + * TODO(openssl-team): is there an easier way to accomplish all this? + */ + ssl_cipher_apply_rule(0, 0, 0, 0, 0, SSL_TLSV1_2, 0, CIPHER_BUMP, -1, + &head, &tail); + + /* + * Irrespective of strength, enforce the following order: + * (EC)DHE + AEAD > (EC)DHE > rest of AEAD > rest. + * Within each group, ciphers remain sorted by strength and previous + * preference, i.e., + * 1) ECDHE > DHE + * 2) GCM > CHACHA + * 3) AES > rest + * 4) TLS 1.2 > legacy + * + * Because we now bump ciphers to the top of the list, we proceed in + * reverse order of preference. + */ + ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1, + &head, &tail); + ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, 0, 0, 0, + CIPHER_BUMP, -1, &head, &tail); + ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, SSL_AEAD, 0, 0, + CIPHER_BUMP, -1, &head, &tail); + /* Now disable everything (maintaining the ordering!) */ ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index ca928e7d5d..4ea036dbf2 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -358,7 +358,9 @@ # define SSL_eGOST2814789CNT12 0x00040000U # define SSL_CHACHA20POLY1305 0x00080000U -# define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM|SSL_AES128CCM|SSL_AES256CCM|SSL_AES128CCM8|SSL_AES256CCM8) +# define SSL_AESGCM (SSL_AES128GCM | SSL_AES256GCM) +# define SSL_AESCCM (SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8) +# define SSL_AES (SSL_AES128|SSL_AES256|SSL_AESGCM|SSL_AESCCM) # define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) # define SSL_CHACHA20 (SSL_CHACHA20POLY1305) |