aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls/tls_policy.cpp
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-12-28 09:04:07 -0500
committerJack Lloyd <[email protected]>2016-12-28 09:04:07 -0500
commit00482921accad5eecb9336041f5c14ce4009bc67 (patch)
treec3be3e70c59a5504177b10e298ae81ab9f6e0c14 /src/lib/tls/tls_policy.cpp
parent6ca5a5bc8c73ecdbb37eb8a0d430f43b234f2787 (diff)
Prohibit SHA256/SHA384 ciphersuites in TLS 1.0/1.1 (GH #496)
Diffstat (limited to 'src/lib/tls/tls_policy.cpp')
-rw-r--r--src/lib/tls/tls_policy.cpp13
1 files changed, 10 insertions, 3 deletions
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index ccab54ca0..ae200ff47 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -391,9 +391,16 @@ std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version,
if(!have_srp && suite.kex_algo() == "SRP_SHA")
continue;
- // Are we doing AEAD in a non-AEAD version
- if(!version.supports_aead_modes() && suite.mac_algo() == "AEAD")
- continue;
+ if(!version.supports_aead_modes())
+ {
+ // Are we doing AEAD in a non-AEAD version?
+ if(suite.mac_algo() == "AEAD")
+ continue;
+
+ // Older (v1.0/v1.1) versions also do not support any hash but SHA-1
+ if(suite.mac_algo() != "SHA-1")
+ continue;
+ }
if(!value_exists(kex, suite.kex_algo()))
continue; // unsupported key exchange