Merge pull request #4426 from ronald-cron-arm/remove-enable-weak-ciphersuites
Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option
This commit is contained in:
Ronald Cron
GitHub
commit
98d00d06a0
7 changed files with 16 additions and 46 deletions
2
ChangeLog.d/remove-enable-weak-ciphersuites.txt
Normal file
2
ChangeLog.d/remove-enable-weak-ciphersuites.txt
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
Removals
|
||||
* Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option. Fixes #4416.
|
||||
|
|
@ -612,8 +612,7 @@
|
|||
* Warning: Only do so when you know what you are doing. This allows for
|
||||
* encryption or channels without any security!
|
||||
*
|
||||
* Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable
|
||||
* the following ciphersuites:
|
||||
* To enable the following ciphersuites:
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
|
||||
|
|
@ -654,20 +653,6 @@
|
|||
#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
|
||||
#define MBEDTLS_CIPHER_PADDING_ZEROS
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES
|
||||
*
|
||||
* Enable weak ciphersuites in SSL / TLS.
|
||||
* Warning: Only do so when you know what you are doing. This allows for
|
||||
* channels with virtually no security at all!
|
||||
*
|
||||
* Uncomment this macro to enable weak ciphersuites
|
||||
*
|
||||
* \warning DES is considered a weak cipher and its use constitutes a
|
||||
* security risk. We recommend considering stronger ciphers instead.
|
||||
*/
|
||||
//#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
||||
*
|
||||
|
|
|
|||
|
|
@ -0,0 +1,12 @@
|
|||
Remove the configuration to enable weak ciphersuites in SSL / TLS
|
||||
-----------------------------------------------------------------
|
||||
|
||||
This does not affect users who use the default `config.h`, as this option was
|
||||
already off by default.
|
||||
|
||||
If you were using a weak cipher, please switch to any of the modern,
|
||||
recommended ciphersuites (based on AES-GCM, AES-CCM or ChachaPoly for example)
|
||||
and if your peer doesn't support any, encourage them to upgrade their software.
|
||||
|
||||
If you were using a ciphersuite without encryption, you just have to
|
||||
enable MBEDTLS_CIPHER_NULL_CIPHER now.
|
||||
|
|
@ -659,8 +659,7 @@
|
|||
* Warning: Only do so when you know what you are doing. This allows for
|
||||
* encryption or channels without any security!
|
||||
*
|
||||
* Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable
|
||||
* the following ciphersuites:
|
||||
* To enable the following ciphersuites:
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
|
||||
|
|
@ -708,20 +707,6 @@
|
|||
*/
|
||||
//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES
|
||||
*
|
||||
* Enable weak ciphersuites in SSL / TLS.
|
||||
* Warning: Only do so when you know what you are doing. This allows for
|
||||
* channels with virtually no security at all!
|
||||
*
|
||||
* Uncomment this macro to enable weak ciphersuites
|
||||
*
|
||||
* \warning DES is considered a weak cipher and its use constitutes a
|
||||
* security risk. We recommend considering stronger ciphers instead.
|
||||
*/
|
||||
//#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_REMOVE_3DES_CIPHERSUITES
|
||||
*
|
||||
|
|
|
|||
|
|
@ -1534,7 +1534,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
|||
#endif /* MBEDTLS_AES_C */
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES)
|
||||
#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
#if defined(MBEDTLS_MD5_C)
|
||||
|
|
@ -1667,8 +1666,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
|||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
|
||||
|
||||
#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
|
||||
|
||||
#if defined(MBEDTLS_ARIA_C)
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
|
|
|
|||
|
|
@ -300,9 +300,6 @@ static const char * const features[] = {
|
|||
#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
|
||||
"MBEDTLS_CTR_DRBG_USE_128_BIT_KEY",
|
||||
#endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
|
||||
#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES)
|
||||
"MBEDTLS_ENABLE_WEAK_CIPHERSUITES",
|
||||
#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
|
||||
#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
|
||||
"MBEDTLS_REMOVE_3DES_CIPHERSUITES",
|
||||
#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */
|
||||
|
|
|
|||
|
|
@ -851,14 +851,6 @@ int query_config( const char *config )
|
|||
}
|
||||
#endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
|
||||
|
||||
#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES)
|
||||
if( strcmp( "MBEDTLS_ENABLE_WEAK_CIPHERSUITES", config ) == 0 )
|
||||
{
|
||||
MACRO_EXPANSION_TO_STR( MBEDTLS_ENABLE_WEAK_CIPHERSUITES );
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
|
||||
|
||||
#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
|
||||
if( strcmp( "MBEDTLS_REMOVE_3DES_CIPHERSUITES", config ) == 0 )
|
||||
{
|
||||
|
|
|
|||
Loading…
Reference in a new issue