From owner-dev-commits-src-branches@freebsd.org Thu Feb 18 20:11:16 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 59F0A54C94E; Thu, 18 Feb 2021 20:11:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DhQnw28zcz3Qyx; Thu, 18 Feb 2021 20:11:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3D8921E7CA; Thu, 18 Feb 2021 20:11:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 11IKBGUj014479; Thu, 18 Feb 2021 20:11:16 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 11IKBGRn014478; Thu, 18 Feb 2021 20:11:16 GMT (envelope-from git) Date: Thu, 18 Feb 2021 20:11:16 GMT Message-Id: <202102182011.11IKBGRn014478@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Jung-uk Kim Subject: git: 922c452bd871 - stable/11 - OpenSSL: Move static DH ciphersuites into the "weak-ssl-ciphers" list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jkim X-Git-Repository: src X-Git-Refname: refs/heads/stable/11 X-Git-Reftype: branch X-Git-Commit: 922c452bd871a9c7cc6610abd500711313a2d387 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Feb 2021 20:11:16 -0000 The branch stable/11 has been updated by jkim: URL: https://cgit.FreeBSD.org/src/commit/?id=922c452bd871a9c7cc6610abd500711313a2d387 commit 922c452bd871a9c7cc6610abd500711313a2d387 Author: Jung-uk Kim AuthorDate: 2021-02-18 20:10:27 +0000 Commit: Jung-uk Kim CommitDate: 2021-02-18 20:10:27 +0000 OpenSSL: Move static DH ciphersuites into the "weak-ssl-ciphers" list This effectively disables the static DH ciphersuites because we do not enable weak SSL ciphers. Note it is exactly done as recommended in the OpenSSL Security Advisory for Raccoon Attack (CVE-2020-1968): https://www.openssl.org/news/secadv/20200909.txt --- crypto/openssl/ssl/s3_lib.c | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c index 10c6db683b6e..64e1b0a29e36 100644 --- a/crypto/openssl/ssl/s3_lib.c +++ b/crypto/openssl/ssl/s3_lib.c @@ -942,6 +942,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 128, }, /* Cipher 30 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_DH_DSS_WITH_AES_128_SHA, @@ -956,7 +957,9 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* Cipher 31 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_DH_RSA_WITH_AES_128_SHA, @@ -971,6 +974,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* Cipher 32 */ { 1, @@ -1033,6 +1037,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 256, }, /* Cipher 36 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_DH_DSS_WITH_AES_256_SHA, @@ -1047,8 +1052,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, +#endif /* Cipher 37 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_DH_RSA_WITH_AES_256_SHA, @@ -1063,6 +1070,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, +#endif /* Cipher 38 */ { @@ -1162,6 +1170,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { }, /* Cipher 3E */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_DH_DSS_WITH_AES_128_SHA256, @@ -1176,8 +1185,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* Cipher 3F */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_DH_RSA_WITH_AES_128_SHA256, @@ -1192,6 +1203,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* Cipher 40 */ { @@ -1229,6 +1241,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { }, /* Cipher 42 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, @@ -1243,8 +1256,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* Cipher 43 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, @@ -1259,6 +1274,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* Cipher 44 */ { @@ -1452,6 +1468,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { }, /* Cipher 68 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_DH_DSS_WITH_AES_256_SHA256, @@ -1466,8 +1483,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, +#endif /* Cipher 69 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_DH_RSA_WITH_AES_256_SHA256, @@ -1482,6 +1501,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, +#endif /* Cipher 6A */ { @@ -1621,6 +1641,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 256, }, /* Cipher 85 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, @@ -1635,8 +1656,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, +#endif /* Cipher 86 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, @@ -1651,6 +1674,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, +#endif /* Cipher 87 */ { @@ -1787,6 +1811,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { }, /* Cipher 97 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_DH_DSS_WITH_SEED_SHA, @@ -1801,8 +1826,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* Cipher 98 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_DH_RSA_WITH_SEED_SHA, @@ -1817,6 +1844,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* Cipher 99 */ { @@ -1935,6 +1963,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { }, /* Cipher A0 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_DH_RSA_WITH_AES_128_GCM_SHA256, @@ -1949,8 +1978,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* Cipher A1 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_DH_RSA_WITH_AES_256_GCM_SHA384, @@ -1965,6 +1996,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, +#endif /* Cipher A2 */ { @@ -1999,6 +2031,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { }, /* Cipher A4 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256, @@ -2013,8 +2046,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, +#endif /* Cipher A5 */ +#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384, @@ -2029,6 +2064,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, +#endif /* Cipher A6 */ {