diff options
| author | lloyd <[email protected]> | 2013-12-10 00:34:10 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2013-12-10 00:34:10 +0000 |
| commit | c6ad94933ec0d718414ba41b3c289b872c04017f (patch) | |
| tree | d336c90d8df5bcc81c853c6e7d8a036885fb8a83 | |
| parent | 2b44af4c51bf31405f1361eba5f0a555106430a7 (diff) | |
Have default TLS policy reject SSLv3. Add TLS::Policy::acceptable_ciphersuite
to allow either party to filter out specific ciphersuites they don't
wish to support for whatever reason.
| -rw-r--r-- | doc/relnotes/1_11_6.rst | 3 | ||||
| -rw-r--r-- | src/tls/tls_policy.cpp | 22 | ||||
| -rw-r--r-- | src/tls/tls_policy.h | 3 |
3 files changed, 20 insertions, 8 deletions
diff --git a/doc/relnotes/1_11_6.rst b/doc/relnotes/1_11_6.rst index b51339791..4b7284f53 100644 --- a/doc/relnotes/1_11_6.rst +++ b/doc/relnotes/1_11_6.rst @@ -3,7 +3,8 @@ Version 1.11.6, Not Yet Released * Botan now requires Boost, specifically the filesystem and asio libraries. - * The default TLS policy no longer includes RC4 in the cipher list. + * The default TLS policy no longer includes RC4 in the cipher list, and + refuses to negotation SSLv3 by default. * Add HKDF from :rfc:`5869` diff --git a/src/tls/tls_policy.cpp b/src/tls/tls_policy.cpp index 3271c3abe..05251e186 100644 --- a/src/tls/tls_policy.cpp +++ b/src/tls/tls_policy.cpp @@ -20,10 +20,10 @@ std::vector<std::string> Policy::allowed_ciphers() const return std::vector<std::string>({ "AES-256/GCM", "AES-128/GCM", - "AES-256/CCM(16,3)", - "AES-128/CCM(16,3)", - "AES-256/CCM(8,3)", - "AES-128/CCM(8,3)", + "AES-256/CCM", + "AES-128/CCM", + "AES-256/CCM-8", + "AES-128/CCM-8", //"Camellia-256/GCM", //"Camellia-128/GCM", "AES-256", @@ -141,11 +141,16 @@ u32bit Policy::session_ticket_lifetime() const bool Policy::acceptable_protocol_version(Protocol_Version version) const { - if(!version.known_version()) + // By default require TLS to minimize surprise + if(version.is_datagram_protocol()) return false; - // By default require TLS to minimize surprise - return !version.is_datagram_protocol(); + return (version > Protocol_Version::SSL_V3); + } + +bool Policy::acceptable_ciphersuite(const Ciphersuite&) const + { + return true; } namespace { @@ -235,6 +240,9 @@ std::vector<u16bit> Policy::ciphersuite_list(Protocol_Version version, for(auto suite : Ciphersuite::all_known_ciphersuites()) { + if(!acceptable_ciphersuite(suite)) + continue; + if(!have_srp && suite.kex_algo() == "SRP_SHA") continue; diff --git a/src/tls/tls_policy.h b/src/tls/tls_policy.h index 6a51f2bbf..5b205dfeb 100644 --- a/src/tls/tls_policy.h +++ b/src/tls/tls_policy.h @@ -9,6 +9,7 @@ #define BOTAN_TLS_POLICY_H__ #include <botan/tls_version.h> +#include <botan/tls_ciphersuite.h> #include <botan/x509cert.h> #include <botan/dl_group.h> #include <vector> @@ -127,6 +128,8 @@ class BOTAN_DLL Policy */ virtual bool acceptable_protocol_version(Protocol_Version version) const; + virtual bool acceptable_ciphersuite(const Ciphersuite& suite) const; + /** * @return true if servers should choose the ciphersuite matching * their highest preference, rather than the clients. |