aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl
diff options
context:
space:
mode:
authorPéter Dimitrov <[email protected]>2018-09-07 11:14:54 +0200
committerPéter Dimitrov <[email protected]>2018-09-07 11:14:54 +0200
commit69b54f6d2ef7462dedad3fa3be7e558ab4b00523 (patch)
tree997b6434df2a79d6b5f2eccbd69097db97969a23 /lib/ssl
parent170527e70e80bf4bf3c0e2358bdd0115991e24b6 (diff)
downloadotp-69b54f6d2ef7462dedad3fa3be7e558ab4b00523.tar.gz
otp-69b54f6d2ef7462dedad3fa3be7e558ab4b00523.tar.bz2
otp-69b54f6d2ef7462dedad3fa3be7e558ab4b00523.zip
ssl: Fix cipher suite handling
Implementations of TLS 1.3 which choose to support prior versions of TLS SHOULD support TLS 1.2. That is, a TLS 1.3 ClientHello shall advertise support for TLS 1.2 ciphers in order to be able to connect to TLS 1.2 servers. This commit changes the list of the advertised cipher suites to include old TLS 1.2 ciphers. Change-Id: Iaece3ac4b66a59dfbe97068b682d6010d74522b8
Diffstat (limited to 'lib/ssl')
-rw-r--r--lib/ssl/src/ssl_cipher.erl5
-rw-r--r--lib/ssl/src/tls_v1.erl14
2 files changed, 8 insertions, 11 deletions
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 799f240659..9bb2beaebd 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -303,11 +303,6 @@ suites({3, Minor}) ->
suites({_, Minor}) ->
dtls_v1:suites(Minor).
-all_suites({3, 4} = Version) ->
- Default = suites(Version),
- Rest = ssl:filter_cipher_suites(chacha_suites(Version) ++ psk_suites(Version),
- tls_v1:v1_3_filters()),
- Default ++ Rest;
all_suites({3, _} = Version) ->
suites(Version)
++ chacha_suites(Version)
diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl
index e6be574916..7d28962d2d 100644
--- a/lib/ssl/src/tls_v1.erl
+++ b/lib/ssl/src/tls_v1.erl
@@ -32,7 +32,7 @@
-export([master_secret/4, finished/5, certificate_verify/3, mac_hash/7, hmac_hash/3,
setup_keys/8, suites/1, prf/5,
ecc_curves/1, ecc_curves/2, oid_to_enum/1, enum_to_oid/1,
- default_signature_algs/1, signature_algs/2, v1_3_filters/0,
+ default_signature_algs/1, signature_algs/2,
default_signature_schemes/1, signature_schemes/2]).
-type named_curve() :: sect571r1 | sect571k1 | secp521r1 | brainpoolP512r1 |
@@ -249,11 +249,13 @@ suites(3) ->
] ++ suites(2);
suites(4) ->
- ssl:filter_cipher_suites(suites(3), v1_3_filters()).
-
-v1_3_filters() ->
- [{mac, fun(aead) -> true; (_) -> false end},
- {key_exchange, fun(dhe_dss) -> false;(rsa) -> false; (rsa_psk) -> false;(_) -> true end}].
+ [?TLS_AES_256_GCM_SHA384,
+ ?TLS_AES_128_GCM_SHA256,
+ ?TLS_CHACHA20_POLY1305_SHA256
+ %% Not supported
+ %% ?TLS_AES_128_CCM_SHA256,
+ %% ?TLS_AES_128_CCM_8_SHA256
+ ] ++ suites(3).
signature_algs({3, 4}, HashSigns) ->
signature_algs({3, 3}, HashSigns);