Prohibit SHA256/SHA384 ciphersuites in TLS 1.0/1.1 (GH #496)

author: Jack Lloyd <[email protected]> 2016-12-28 09:04:07 -0500
committer: Jack Lloyd <[email protected]> 2016-12-28 09:04:07 -0500
commit: 00482921accad5eecb9336041f5c14ce4009bc67 (patch)
tree: c3be3e70c59a5504177b10e298ae81ab9f6e0c14
parent: 6ca5a5bc8c73ecdbb37eb8a0d430f43b234f2787 (diff)
1 files changed, 10 insertions, 3 deletions
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index ccab54ca0..ae200ff47 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -391,9 +391,16 @@ std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version,
       if(!have_srp && suite.kex_algo() == "SRP_SHA")
          continue;
 
-      // Are we doing AEAD in a non-AEAD version
-      if(!version.supports_aead_modes() && suite.mac_algo() == "AEAD")
-         continue;
+      if(!version.supports_aead_modes())
+         {
+         // Are we doing AEAD in a non-AEAD version?
+         if(suite.mac_algo() == "AEAD")
+            continue;
+
+         // Older (v1.0/v1.1) versions also do not support any hash but SHA-1
+         if(suite.mac_algo() != "SHA-1")
+            continue;
+         }
 
       if(!value_exists(kex, suite.kex_algo()))
          continue; // unsupported key exchange
author	Jack Lloyd <[email protected]>	2016-12-28 09:04:07 -0500
committer	Jack Lloyd <[email protected]>	2016-12-28 09:04:07 -0500
commit	00482921accad5eecb9336041f5c14ce4009bc67 (patch)
tree	c3be3e70c59a5504177b10e298ae81ab9f6e0c14
parent	6ca5a5bc8c73ecdbb37eb8a0d430f43b234f2787 (diff)