[tor-commits] [tor/master] Update ciphers.inc to match ff28

nickm at torproject.org nickm at torproject.org
Wed Apr 9 00:43:31 UTC 2014


commit 4231729176c63d28f7adb61074f79464e2ee73a7
Author: Nick Mathewson <nickm at torproject.org>
Date:   Tue Apr 8 11:31:48 2014 -0400

    Update ciphers.inc to match ff28
    
    The major changes are to re-order some ciphers, to drop the ECDH suites
    (note: *not* ECDHE: ECDHE is still there), to kill off some made-up
    stuff (like the SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA suite), to drop
    some of the DSS suites... *and* to enable the ECDHE+GCM ciphersuites.
    
    This change is autogenerated by get_mozilla_ciphers.py from
    Firefox 28 and OpenSSL 1.0.1g.
    
    Resolves ticket 11438.
---
 changes/ff28_ciphers   |    6 ++
 src/common/ciphers.inc |  169 ++++++++++++++++--------------------------------
 2 files changed, 60 insertions(+), 115 deletions(-)

diff --git a/changes/ff28_ciphers b/changes/ff28_ciphers
new file mode 100644
index 0000000..05eb4e9
--- /dev/null
+++ b/changes/ff28_ciphers
@@ -0,0 +1,6 @@
+  o Minor features (performance, compatibility):
+    - Update the list of TLS cipehrsuites that a client advertises
+      to match those advertised by Firefox 28. This enables selection of
+      (fast) GCM ciphersuites, disables some strange old ciphers, and
+      disables the ECDH (not to be confused with ECDHE) ciphersuites.
+      Resolves ticket 11438.
diff --git a/src/common/ciphers.inc b/src/common/ciphers.inc
index 137d78b..ab4ac40 100644
--- a/src/common/ciphers.inc
+++ b/src/common/ciphers.inc
@@ -4,86 +4,51 @@
  *
  * This file was automatically generated by get_mozilla_ciphers.py.
  */
-#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
-    CIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
-#else
-   XCIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
-#endif
-#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
-    CIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
-#else
-   XCIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
-#endif
-#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
-    CIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
-#else
-   XCIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
-#endif
-#ifdef TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
-    CIPHER(0x0087, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA)
+#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+    CIPHER(0xc02b, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
 #else
-   XCIPHER(0x0087, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA)
+   XCIPHER(0xc02b, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
 #endif
-#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA
-    CIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
+#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+    CIPHER(0xc02f, TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
 #else
-   XCIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
+   XCIPHER(0xc02f, TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
 #endif
-#ifdef TLS1_TXT_DHE_DSS_WITH_AES_256_SHA
-    CIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
+#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+    CIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
 #else
-   XCIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
+   XCIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
 #endif
-#ifdef TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA
-    CIPHER(0xc00f, TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA)
+#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+    CIPHER(0xc009, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
 #else
-   XCIPHER(0xc00f, TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA)
+   XCIPHER(0xc009, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
 #endif
-#ifdef TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA
-    CIPHER(0xc005, TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA)
+#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
+    CIPHER(0xc013, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA)
 #else
-   XCIPHER(0xc005, TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA)
+   XCIPHER(0xc013, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA)
 #endif
-#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA
-    CIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
+#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
+    CIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
 #else
-   XCIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
+   XCIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
 #endif
-#ifdef TLS1_TXT_RSA_WITH_AES_256_SHA
-    CIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
+#ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA
+    CIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
 #else
-   XCIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
+   XCIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
 #endif
 #ifdef TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA
     CIPHER(0xc007, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA)
 #else
    XCIPHER(0xc007, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA)
 #endif
-#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
-    CIPHER(0xc009, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
-#else
-   XCIPHER(0xc009, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
-#endif
 #ifdef TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA
     CIPHER(0xc011, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA)
 #else
    XCIPHER(0xc011, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA)
 #endif
-#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
-    CIPHER(0xc013, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA)
-#else
-   XCIPHER(0xc013, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA)
-#endif
-#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
-    CIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
-#else
-   XCIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
-#endif
-#ifdef TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
-    CIPHER(0x0044, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA)
-#else
-   XCIPHER(0x0044, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA)
-#endif
 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA
     CIPHER(0x0033, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA)
 #else
@@ -94,89 +59,63 @@
 #else
    XCIPHER(0x0032, TLS1_TXT_DHE_DSS_WITH_AES_128_SHA)
 #endif
-#ifdef TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA
-    CIPHER(0xc00c, TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA)
-#else
-   XCIPHER(0xc00c, TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA)
-#endif
-#ifdef TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA
-    CIPHER(0xc00e, TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA)
-#else
-   XCIPHER(0xc00e, TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA)
-#endif
-#ifdef TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA
-    CIPHER(0xc002, TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA)
-#else
-   XCIPHER(0xc002, TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA)
-#endif
-#ifdef TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA
-    CIPHER(0xc004, TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA)
+#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
+    CIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
 #else
-   XCIPHER(0xc004, TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA)
+   XCIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
 #endif
-#ifdef TLS1_TXT_RSA_WITH_SEED_SHA
-    CIPHER(0x0096, TLS1_TXT_RSA_WITH_SEED_SHA)
+#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA
+    CIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
 #else
-   XCIPHER(0x0096, TLS1_TXT_RSA_WITH_SEED_SHA)
+   XCIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
 #endif
-#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA
-    CIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
+#ifdef TLS1_TXT_DHE_DSS_WITH_AES_256_SHA
+    CIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
 #else
-   XCIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
+   XCIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
 #endif
-#ifdef SSL3_TXT_RSA_RC4_128_MD5
-    CIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
+#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
+    CIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
 #else
-   XCIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
+   XCIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
 #endif
-#ifdef SSL3_TXT_RSA_RC4_128_SHA
-    CIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
+#ifdef SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA
+    CIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
 #else
-   XCIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
+   XCIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
 #endif
 #ifdef TLS1_TXT_RSA_WITH_AES_128_SHA
     CIPHER(0x002f, TLS1_TXT_RSA_WITH_AES_128_SHA)
 #else
    XCIPHER(0x002f, TLS1_TXT_RSA_WITH_AES_128_SHA)
 #endif
-#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA
-    CIPHER(0xc008, TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA)
-#else
-   XCIPHER(0xc008, TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA)
-#endif
-#ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA
-    CIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
-#else
-   XCIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
-#endif
-#ifdef SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA
-    CIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
+#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA
+    CIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
 #else
-   XCIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
+   XCIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
 #endif
-#ifdef SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA
-    CIPHER(0x0013, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA)
+#ifdef TLS1_TXT_RSA_WITH_AES_256_SHA
+    CIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
 #else
-   XCIPHER(0x0013, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA)
+   XCIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
 #endif
-#ifdef TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA
-    CIPHER(0xc00d, TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA)
+#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA
+    CIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
 #else
-   XCIPHER(0xc00d, TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA)
+   XCIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
 #endif
-#ifdef TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA
-    CIPHER(0xc003, TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA)
+#ifdef SSL3_TXT_RSA_DES_192_CBC3_SHA
+    CIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA)
 #else
-   XCIPHER(0xc003, TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA)
+   XCIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA)
 #endif
-/* No openssl macro found for 0xfeff */
-#ifdef SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
-    CIPHER(0xfeff, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA)
+#ifdef SSL3_TXT_RSA_RC4_128_SHA
+    CIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
 #else
-   XCIPHER(0xfeff, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA)
+   XCIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
 #endif
-#ifdef SSL3_TXT_RSA_DES_192_CBC3_SHA
-    CIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA)
+#ifdef SSL3_TXT_RSA_RC4_128_MD5
+    CIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
 #else
-   XCIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA)
+   XCIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
 #endif





More information about the tor-commits mailing list