From b3c2d9730fd1d023b648aa745a2afca569bf9933 Mon Sep 17 00:00:00 2001 From: davidben Date: Fri, 11 Mar 2016 14:36:17 -0800 Subject: Enable AES_256_GCM ciphers. This results in the following cipher suite order: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 [not offered in initial handshake] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA [not offered in initial handshake] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA [not offered in initial handshake] TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA I've intentionally excluded DHE_RSA_WITH_AES_256_GCM_SHA384 because we intend to remove DHE ciphers later. BUG=591516 Review URL: https://codereview.chromium.org/1769393002 Cr-Commit-Position: refs/heads/master@{#380761} --- net/socket/ssl_client_socket_openssl.cc | 12 +++++++----- net/ssl/ssl_config.h | 13 ------------- 2 files changed, 7 insertions(+), 18 deletions(-) diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc index 8a860f3..a98b815 100644 --- a/net/socket/ssl_client_socket_openssl.cc +++ b/net/socket/ssl_client_socket_openssl.cc @@ -971,11 +971,13 @@ int SSLClientSocketOpenSSL::Init() { SSL_set_mode(ssl_, mode.set_mask); SSL_clear_mode(ssl_, mode.clear_mask); - // See SSLConfig::disabled_cipher_suites for description of the suites - // disabled by default. Note that SHA256 and SHA384 only select HMAC-SHA256 - // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384 - // as the handshake hash. - std::string command("DEFAULT:!SHA256:-SHA384:!AESGCM+AES256:!aPSK"); + // Use BoringSSL defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers + // (note that SHA256 and SHA384 only select legacy CBC ciphers). Also disable + // DHE_RSA_WITH_AES_256_GCM_SHA384. Historically, AES_256_GCM was not + // supported. As DHE is being deprecated, don't add a cipher only to remove it + // immediately. + std::string command( + "DEFAULT:!SHA256:!SHA384:!DHE-RSA-AES256-GCM-SHA384:!aPSK"); if (ssl_config_.require_ecdhe) command.append(":!kRSA:!kDHE"); diff --git a/net/ssl/ssl_config.h b/net/ssl/ssl_config.h index 0a5a83d..21f4ccc 100644 --- a/net/ssl/ssl_config.h +++ b/net/ssl/ssl_config.h @@ -97,19 +97,6 @@ struct NET_EXPORT SSLConfig { // Presorted list of cipher suites which should be explicitly prevented from // being used in addition to those disabled by the net built-in policy. // - // By default, all cipher suites supported by the underlying SSL - // implementation will be enabled except for: - // - Null encryption cipher suites. - // - Weak cipher suites: < 80 bits of security strength. - // - FORTEZZA cipher suites (obsolete). - // - IDEA cipher suites (RFC 5469 explains why). - // - Anonymous cipher suites. - // - ECDSA cipher suites on platforms that do not support ECDSA signed - // certificates, as servers may use the presence of such ciphersuites as a - // hint to send an ECDSA certificate. - // The ciphers listed in |disabled_cipher_suites| will be removed in addition - // to the above list. - // // Though cipher suites are sent in TLS as "uint8_t CipherSuite[2]", in // big-endian form, they should be declared in host byte order, with the // first uint8_t occupying the most significant byte. -- cgit v1.1