diff options
author | Jack Lloyd <[email protected]> | 2016-12-28 09:04:07 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2016-12-28 09:04:07 -0500 |
commit | 00482921accad5eecb9336041f5c14ce4009bc67 (patch) | |
tree | c3be3e70c59a5504177b10e298ae81ab9f6e0c14 /src/lib/tls/tls_policy.cpp | |
parent | 6ca5a5bc8c73ecdbb37eb8a0d430f43b234f2787 (diff) |
Prohibit SHA256/SHA384 ciphersuites in TLS 1.0/1.1 (GH #496)
Diffstat (limited to 'src/lib/tls/tls_policy.cpp')
-rw-r--r-- | src/lib/tls/tls_policy.cpp | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp index ccab54ca0..ae200ff47 100644 --- a/src/lib/tls/tls_policy.cpp +++ b/src/lib/tls/tls_policy.cpp @@ -391,9 +391,16 @@ std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version, if(!have_srp && suite.kex_algo() == "SRP_SHA") continue; - // Are we doing AEAD in a non-AEAD version - if(!version.supports_aead_modes() && suite.mac_algo() == "AEAD") - continue; + if(!version.supports_aead_modes()) + { + // Are we doing AEAD in a non-AEAD version? + if(suite.mac_algo() == "AEAD") + continue; + + // Older (v1.0/v1.1) versions also do not support any hash but SHA-1 + if(suite.mac_algo() != "SHA-1") + continue; + } if(!value_exists(kex, suite.kex_algo())) continue; // unsupported key exchange |