Skip to content

Commit 0fff506

Browse files
author
Rich Salz
committed
SWEET32 (CVE-2016-2183): Move DES from HIGH to MEDIUM
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
1 parent 0ec0104 commit 0fff506

File tree

2 files changed

+21
-17
lines changed

2 files changed

+21
-17
lines changed

CHANGES

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,10 @@
66

77
*)
88

9+
*) In order to mitigate the SWEET32 attack (CVE-2016-2183),
10+
the DES ciphers were moved from HIGH to MEDIUM.
11+
[Rich Salz]
12+
913
Changes between 1.0.2g and 1.0.2h [3 May 2016]
1014

1115
*) Prevent padding oracle in AES-NI CBC MAC check

ssl/s3_lib.c

Lines changed: 17 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -329,7 +329,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
329329
SSL_3DES,
330330
SSL_SHA1,
331331
SSL_SSLV3,
332-
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
332+
SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
333333
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
334334
112,
335335
168,
@@ -382,7 +382,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
382382
SSL_3DES,
383383
SSL_SHA1,
384384
SSL_SSLV3,
385-
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
385+
SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
386386
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
387387
112,
388388
168,
@@ -434,7 +434,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
434434
SSL_3DES,
435435
SSL_SHA1,
436436
SSL_SSLV3,
437-
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
437+
SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
438438
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
439439
112,
440440
168,
@@ -487,7 +487,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
487487
SSL_3DES,
488488
SSL_SHA1,
489489
SSL_SSLV3,
490-
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
490+
SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
491491
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
492492
112,
493493
168,
@@ -539,7 +539,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
539539
SSL_3DES,
540540
SSL_SHA1,
541541
SSL_SSLV3,
542-
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
542+
SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
543543
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
544544
112,
545545
168,
@@ -625,7 +625,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
625625
SSL_3DES,
626626
SSL_SHA1,
627627
SSL_SSLV3,
628-
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
628+
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
629629
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
630630
112,
631631
168,
@@ -712,7 +712,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
712712
SSL_3DES,
713713
SSL_SHA1,
714714
SSL_SSLV3,
715-
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
715+
SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
716716
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
717717
112,
718718
168,
@@ -778,7 +778,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
778778
SSL_3DES,
779779
SSL_MD5,
780780
SSL_SSLV3,
781-
SSL_NOT_EXP | SSL_HIGH,
781+
SSL_NOT_EXP | SSL_MEDIUM,
782782
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
783783
112,
784784
168,
@@ -1728,7 +1728,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
17281728
SSL_3DES,
17291729
SSL_SHA1,
17301730
SSL_TLSV1,
1731-
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
1731+
SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
17321732
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
17331733
112,
17341734
168,
@@ -2120,7 +2120,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
21202120
SSL_3DES,
21212121
SSL_SHA1,
21222122
SSL_TLSV1,
2123-
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
2123+
SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
21242124
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
21252125
112,
21262126
168,
@@ -2200,7 +2200,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
22002200
SSL_3DES,
22012201
SSL_SHA1,
22022202
SSL_TLSV1,
2203-
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
2203+
SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
22042204
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
22052205
112,
22062206
168,
@@ -2280,7 +2280,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
22802280
SSL_3DES,
22812281
SSL_SHA1,
22822282
SSL_TLSV1,
2283-
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
2283+
SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
22842284
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
22852285
112,
22862286
168,
@@ -2360,7 +2360,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
23602360
SSL_3DES,
23612361
SSL_SHA1,
23622362
SSL_TLSV1,
2363-
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
2363+
SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
23642364
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
23652365
112,
23662366
168,
@@ -2440,7 +2440,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
24402440
SSL_3DES,
24412441
SSL_SHA1,
24422442
SSL_TLSV1,
2443-
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
2443+
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
24442444
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
24452445
112,
24462446
168,
@@ -2490,7 +2490,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
24902490
SSL_3DES,
24912491
SSL_SHA1,
24922492
SSL_TLSV1,
2493-
SSL_NOT_EXP | SSL_HIGH,
2493+
SSL_NOT_EXP | SSL_MEDIUM,
24942494
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
24952495
112,
24962496
168,
@@ -2506,7 +2506,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
25062506
SSL_3DES,
25072507
SSL_SHA1,
25082508
SSL_TLSV1,
2509-
SSL_NOT_EXP | SSL_HIGH,
2509+
SSL_NOT_EXP | SSL_MEDIUM,
25102510
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
25112511
112,
25122512
168,
@@ -2522,7 +2522,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
25222522
SSL_3DES,
25232523
SSL_SHA1,
25242524
SSL_TLSV1,
2525-
SSL_NOT_EXP | SSL_HIGH,
2525+
SSL_NOT_EXP | SSL_MEDIUM,
25262526
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
25272527
112,
25282528
168,

0 commit comments

Comments
 (0)