diff options
| author | Alex Klyubin <klyubin@google.com> | 2013-12-18 11:03:17 -0800 |
|---|---|---|
| committer | Alex Klyubin <klyubin@google.com> | 2013-12-18 12:52:31 -0800 |
| commit | 9a61ef3365ba5e33c65eec42fc80c7e47bc09958 (patch) | |
| tree | d96d237879d51cf361445a60ee776865506a9c94 | |
| parent | 333fcb4081cbda1207d76ef24b293ca316c30242 (diff) | |
| download | libcore-9a61ef3365ba5e33c65eec42fc80c7e47bc09958.zip libcore-9a61ef3365ba5e33c65eec42fc80c7e47bc09958.tar.gz libcore-9a61ef3365ba5e33c65eec42fc80c7e47bc09958.tar.bz2 | |
Disable 3DES cipher suites in SSLSocket.
The effective key length for 3DES_EDE bulk encryption algorithm
is only 112 bits. We're now aiming for 128 and higher.
Scans show that removing these cipher suites from the default list
causes handshake issues only with 0.15% of the ecosystem.
Bug: 11220570
Change-Id: Ie01ebe8134d08a36b276295b804540157963be8f
| -rw-r--r-- | luni/src/main/java/javax/net/ssl/SSLSocket.java | 14 | ||||
| -rw-r--r-- | support/src/test/java/libcore/java/security/StandardNames.java | 6 |
2 files changed, 7 insertions, 13 deletions
diff --git a/luni/src/main/java/javax/net/ssl/SSLSocket.java b/luni/src/main/java/javax/net/ssl/SSLSocket.java index 8a347b3..e97b411 100644 --- a/luni/src/main/java/javax/net/ssl/SSLSocket.java +++ b/luni/src/main/java/javax/net/ssl/SSLSocket.java @@ -138,7 +138,7 @@ import java.net.UnknownHostException; * <tr> * <td>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</td> * <td>9+</td> - * <td>9+</td> + * <td>9-19</td> * </tr> * <tr> * <td>SSL_DHE_RSA_WITH_DES_CBC_SHA</td> @@ -183,7 +183,7 @@ import java.net.UnknownHostException; * <tr> * <td>SSL_RSA_WITH_3DES_EDE_CBC_SHA</td> * <td>9+</td> - * <td>9+</td> + * <td>9-19</td> * </tr> * <tr> * <td>SSL_RSA_WITH_DES_CBC_SHA</td> @@ -303,7 +303,7 @@ import java.net.UnknownHostException; * <tr> * <td>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</td> * <td>11+</td> - * <td>11+</td> + * <td>11-19</td> * </tr> * <tr> * <td>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</td> @@ -348,7 +348,7 @@ import java.net.UnknownHostException; * <tr> * <td>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</td> * <td>11+</td> - * <td>11+</td> + * <td>11-19</td> * </tr> * <tr> * <td>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</td> @@ -596,7 +596,7 @@ import java.net.UnknownHostException; * <td>DES-CBC3-SHA</td> * <td>SSL_RSA_WITH_3DES_EDE_CBC_SHA</td> * <td>1+</td> - * <td>1+</td> + * <td>1-19</td> * </tr> * <tr> * <td>DHE-DSS-AES128-SHA</td> @@ -632,7 +632,7 @@ import java.net.UnknownHostException; * <td>EDH-DSS-DES-CBC3-SHA</td> * <td>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</td> * <td>1+</td> - * <td>1+</td> + * <td>1-19</td> * </tr> * <tr> * <td>EDH-RSA-DES-CBC-SHA</td> @@ -644,7 +644,7 @@ import java.net.UnknownHostException; * <td>EDH-RSA-DES-CBC3-SHA</td> * <td>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</td> * <td>1+</td> - * <td>1+</td> + * <td>1-19</td> * </tr> * <tr> * <td>EXP-DES-CBC-SHA</td> diff --git a/support/src/test/java/libcore/java/security/StandardNames.java b/support/src/test/java/libcore/java/security/StandardNames.java index 7ca38bd..c2d8921 100644 --- a/support/src/test/java/libcore/java/security/StandardNames.java +++ b/support/src/test/java/libcore/java/security/StandardNames.java @@ -806,11 +806,6 @@ public final class StandardNames extends Assert { "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "SSL_RSA_WITH_RC4_128_SHA", "SSL_RSA_WITH_RC4_128_MD5", - "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", - "SSL_RSA_WITH_3DES_EDE_CBC_SHA", CIPHER_SUITE_SECURE_RENEGOTIATION); private static final Set<String> PERMITTED_DEFAULT_KEY_EXCHANGE_ALGS = @@ -824,7 +819,6 @@ public final class StandardNames extends Assert { private static final Set<String> PERMITTED_DEFAULT_BULK_ENCRYPTION_CIPHERS = new HashSet<String>(Arrays.asList("RC4_128", - "3DES_EDE_CBC", "AES_128_CBC", "AES_256_CBC", "AES_128_GCM", |