diff options
| author | Péter Dimitrov <[email protected]> | 2018-09-07 11:14:54 +0200 |
|---|---|---|
| committer | Péter Dimitrov <[email protected]> | 2018-09-07 11:14:54 +0200 |
| commit | 69b54f6d2ef7462dedad3fa3be7e558ab4b00523 (patch) | |
| tree | 997b6434df2a79d6b5f2eccbd69097db97969a23 | |
| parent | 170527e70e80bf4bf3c0e2358bdd0115991e24b6 (diff) | |
| download | otp-69b54f6d2ef7462dedad3fa3be7e558ab4b00523.tar.gz otp-69b54f6d2ef7462dedad3fa3be7e558ab4b00523.tar.bz2 otp-69b54f6d2ef7462dedad3fa3be7e558ab4b00523.zip | |
ssl: Fix cipher suite handling
Implementations of TLS 1.3 which choose to support prior versions of
TLS SHOULD support TLS 1.2. That is, a TLS 1.3 ClientHello shall
advertise support for TLS 1.2 ciphers in order to be able to connect
to TLS 1.2 servers.
This commit changes the list of the advertised cipher suites to
include old TLS 1.2 ciphers.
Change-Id: Iaece3ac4b66a59dfbe97068b682d6010d74522b8
| -rw-r--r-- | lib/ssl/src/ssl_cipher.erl | 5 | ||||
| -rw-r--r-- | lib/ssl/src/tls_v1.erl | 14 |
2 files changed, 8 insertions, 11 deletions
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl index 799f240659..9bb2beaebd 100644 --- a/lib/ssl/src/ssl_cipher.erl +++ b/lib/ssl/src/ssl_cipher.erl @@ -303,11 +303,6 @@ suites({3, Minor}) -> suites({_, Minor}) -> dtls_v1:suites(Minor). -all_suites({3, 4} = Version) -> - Default = suites(Version), - Rest = ssl:filter_cipher_suites(chacha_suites(Version) ++ psk_suites(Version), - tls_v1:v1_3_filters()), - Default ++ Rest; all_suites({3, _} = Version) -> suites(Version) ++ chacha_suites(Version) diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl index e6be574916..7d28962d2d 100644 --- a/lib/ssl/src/tls_v1.erl +++ b/lib/ssl/src/tls_v1.erl @@ -32,7 +32,7 @@ -export([master_secret/4, finished/5, certificate_verify/3, mac_hash/7, hmac_hash/3, setup_keys/8, suites/1, prf/5, ecc_curves/1, ecc_curves/2, oid_to_enum/1, enum_to_oid/1, - default_signature_algs/1, signature_algs/2, v1_3_filters/0, + default_signature_algs/1, signature_algs/2, default_signature_schemes/1, signature_schemes/2]). -type named_curve() :: sect571r1 | sect571k1 | secp521r1 | brainpoolP512r1 | @@ -249,11 +249,13 @@ suites(3) -> ] ++ suites(2); suites(4) -> - ssl:filter_cipher_suites(suites(3), v1_3_filters()). - -v1_3_filters() -> - [{mac, fun(aead) -> true; (_) -> false end}, - {key_exchange, fun(dhe_dss) -> false;(rsa) -> false; (rsa_psk) -> false;(_) -> true end}]. + [?TLS_AES_256_GCM_SHA384, + ?TLS_AES_128_GCM_SHA256, + ?TLS_CHACHA20_POLY1305_SHA256 + %% Not supported + %% ?TLS_AES_128_CCM_SHA256, + %% ?TLS_AES_128_CCM_8_SHA256 + ] ++ suites(3). signature_algs({3, 4}, HashSigns) -> signature_algs({3, 3}, HashSigns); |