Disable the HMAC-SHA256 and AES_256_GCM cipher suites for

SSLClientSocketOpenSSL.

R=rsleevi@chromium.org
BUG=255241
TEST=none

Review URL: https://chromiumcodereview.appspot.com/23038011

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@218564 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 5 insertions, 3 deletions

diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index 4591cec..416ab87 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -532,9 +532,11 @@ bool SSLClientSocketOpenSSL::Init() {
   STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl_);
   DCHECK(ciphers);
   // See SSLConfig::disabled_cipher_suites for description of the suites
-  // disabled by default. Note that !SHA384 only removes HMAC-SHA384 cipher
-  // suites, not GCM cipher suites with SHA384 as the handshake hash.
-  std::string command("DEFAULT:!NULL:!aNULL:!IDEA:!FZA:!SRP:!SHA384:!aECDH");
+  // disabled by default. Note that !SHA256 and !SHA384 only remove HMAC-SHA256
+  // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384
+  // as the handshake hash.
+  std::string command("DEFAULT:!NULL:!aNULL:!IDEA:!FZA:!SRP:!SHA256:!SHA384:"
+                      "!aECDH:!AESGCM+AES256");
   // Walk through all the installed ciphers, seeing if any need to be
   // appended to the cipher removal |command|.
   for (int i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) {