| Index: net/third_party/nss/ssl/sslenum.c
|
| ===================================================================
|
| --- net/third_party/nss/ssl/sslenum.c (revision 242942)
|
| +++ net/third_party/nss/ssl/sslenum.c (working copy)
|
| @@ -10,16 +10,6 @@
|
| #include "sslproto.h"
|
|
|
| /*
|
| - * The ciphers are listed in the following order:
|
| - * - stronger ciphers before weaker ciphers
|
| - * - national ciphers before international ciphers
|
| - * - faster ciphers before slower ciphers
|
| - *
|
| - * National ciphers such as Camellia are listed before international ciphers
|
| - * such as AES and RC4 to allow servers that prefer Camellia to negotiate
|
| - * Camellia without having to disable AES and RC4, which are needed for
|
| - * interoperability with clients that don't yet implement Camellia.
|
| - *
|
| * The ordering of cipher suites in this table must match the ordering in
|
| * the cipherSuites table in ssl3con.c.
|
| *
|
| @@ -27,77 +17,96 @@
|
| * in ssl3ecc.c.
|
| *
|
| * Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h.
|
| + *
|
| + * The ordering is as follows:
|
| + * * No-encryption cipher suites last
|
| + * * Export/weak/obsolete cipher suites before no-encryption cipher suites
|
| + * * Order by key exchange algorithm: ECDHE, then DHE, then ECDH, RSA.
|
| + * * Within key agreement sections, order by symmetric encryption algorithm:
|
| + * AES-128, then Camellia-128, then AES-256, then Camellia-256, then SEED,
|
| + * then FIPS-3DES, then 3DES, then RC4. AES is commonly accepted as a
|
| + * strong cipher internationally, and is often hardware-accelerated.
|
| + * Camellia also has wide international support across standards
|
| + * organizations. SEED is only recommended by the Korean government. 3DES
|
| + * only provides 112 bits of security. RC4 is now deprecated or forbidden
|
| + * by many standards organizations.
|
| + * * Within symmetric algorithm sections, order by message authentication
|
| + * algorithm: GCM, then HMAC-SHA1, then HMAC-SHA256, then HMAC-MD5.
|
| + * * Within message authentication algorithm sections, order by asymmetric
|
| + * signature algorithm: ECDSA, then RSA, then DSS.
|
| + *
|
| + * Exception: Because some servers ignore the high-order byte of the cipher
|
| + * suite ID, we must be careful about adding cipher suites with IDs larger
|
| + * than 0x00ff; see bug 946147. For these broken servers, the first six cipher
|
| + * suites, with the MSB zeroed, look like:
|
| + * TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA { 0x00,0x14 }
|
| + * TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA { 0x00,0x13 }
|
| + * TLS_KRB5_EXPORT_WITH_RC4_40_MD5 {0x00,0x2B }
|
| + * TLS_RSA_WITH_AES_128_CBC_SHA { 0x00,0x2F }
|
| + * TLS_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A }
|
| + * TLS_RSA_WITH_DES_CBC_SHA { 0x00,0x09 }
|
| + * The broken server only supports the fifth and sixth ones and will select
|
| + * the fifth one.
|
| */
|
| const PRUint16 SSL_ImplementedCiphers[] = {
|
| - /* AES-GCM */
|
| #ifdef NSS_ENABLE_ECC
|
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
| -#endif /* NSS_ENABLE_ECC */
|
| - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
|
| - TLS_RSA_WITH_AES_128_GCM_SHA256,
|
| -
|
| - /* 256-bit */
|
| -#ifdef NSS_ENABLE_ECC
|
| + /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before
|
| + * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147.
|
| + */
|
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
| + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
| + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
| + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
| + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
| -#endif /* NSS_ENABLE_ECC */
|
| - TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
|
| - TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
|
| - TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
|
| - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
|
| - TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
|
| -#ifdef NSS_ENABLE_ECC
|
| - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
|
| - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
|
| -#endif /* NSS_ENABLE_ECC */
|
| - TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
|
| - TLS_RSA_WITH_AES_256_CBC_SHA,
|
| - TLS_RSA_WITH_AES_256_CBC_SHA256,
|
| -
|
| - /* 128-bit */
|
| -#ifdef NSS_ENABLE_ECC
|
| + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
| + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
|
| - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
| - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
| TLS_ECDHE_RSA_WITH_RC4_128_SHA,
|
| - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
| - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
| #endif /* NSS_ENABLE_ECC */
|
| +
|
| + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
|
| + TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
|
| + TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
|
| + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
|
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
|
| TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
|
| + TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
|
| + TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
|
| + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
|
| + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
|
| + TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
|
| + SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
| + SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
|
| TLS_DHE_DSS_WITH_RC4_128_SHA,
|
| - TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
|
| - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
|
| - TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
|
| +
|
| #ifdef NSS_ENABLE_ECC
|
| - TLS_ECDH_RSA_WITH_RC4_128_SHA,
|
| + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
|
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
|
| + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
|
| + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
|
| + TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
| + TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
|
| TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
|
| - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
|
| + TLS_ECDH_RSA_WITH_RC4_128_SHA,
|
| #endif /* NSS_ENABLE_ECC */
|
| - TLS_RSA_WITH_SEED_CBC_SHA,
|
| - TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
|
| - SSL_RSA_WITH_RC4_128_SHA,
|
| - SSL_RSA_WITH_RC4_128_MD5,
|
| +
|
| + TLS_RSA_WITH_AES_128_GCM_SHA256,
|
| TLS_RSA_WITH_AES_128_CBC_SHA,
|
| TLS_RSA_WITH_AES_128_CBC_SHA256,
|
| -
|
| - /* 112-bit 3DES */
|
| -#ifdef NSS_ENABLE_ECC
|
| - TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
| - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
| -#endif /* NSS_ENABLE_ECC */
|
| - SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
| - SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
|
| -#ifdef NSS_ENABLE_ECC
|
| - TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
|
| - TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
| -#endif /* NSS_ENABLE_ECC */
|
| + TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
|
| + TLS_RSA_WITH_AES_256_CBC_SHA,
|
| + TLS_RSA_WITH_AES_256_CBC_SHA256,
|
| + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
|
| + TLS_RSA_WITH_SEED_CBC_SHA,
|
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
|
| SSL_RSA_WITH_3DES_EDE_CBC_SHA,
|
| + SSL_RSA_WITH_RC4_128_SHA,
|
| + SSL_RSA_WITH_RC4_128_MD5,
|
|
|
| /* 56-bit DES "domestic" cipher suites */
|
| SSL_DHE_RSA_WITH_DES_CBC_SHA,
|
|
|
Chromium Code Reviews
Issue 111853013:
Update net/third_party/nss to NSS 3.15.4. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/