Google Git
Sign in
android / platform / external / chromium_org / third_party / boringssl / src / ede973a
commitede973a89a5bf8784855d2bea9c8ae4a5e3e32ee[log] [tgz]
authorDavid Benjamin <davidben@chromium.org>Tue Aug 19 14:12:39 2014 -0400
committerAdam Langley <agl@google.com>Tue Aug 19 19:00:32 2014 +0000
tree07677c04d3622c68944003f23db431091a4e3225
parent6bc658d2e33548ff1a6fc10f0f4bdc1e24fe89cd [diff]
Tidy up cipher ordering.

To align with what Chrome sends on NSS, remove all 3DES cipher suites except
RSA_WITH_3DES_EDE_CBC_SHA. This avoids having to order a PFS 3DES cipher
against a non-PFS 3DES cipher.

Remove the strength sort which wanted place AES_256_CBC ahead of AES_128_GCM
and is not especially useful (everything under 128 is either 3DES or DES).
Instead, explicitly order all the bulk ciphers. Continue to prefer PFS over
non-PFS and ECDHE over DHE.

This gives the following order in Chromium. We can probably prune it a bit
(DHE_DSS, DH_*) in a follow-up.

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)   Forward Secrecy	256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)   Forward Secrecy	256
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15)   Forward Secrecy	256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   Forward Secrecy	128
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   Forward Secrecy	128
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0xa2)   Forward Secrecy*	128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   Forward Secrecy	128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Forward Secrecy	256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   Forward Secrecy	256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   Forward Secrecy	256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38)   Forward Secrecy*	256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy	128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   Forward Secrecy	128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   Forward Secrecy	128
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32)   Forward Secrecy*	128
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)   Forward Secrecy	128
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)   Forward Secrecy	128
TLS_DH_DSS_WITH_AES_128_GCM_SHA256 (0xa4)	128
TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (0xa0)	128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)	128
TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x37)	256
TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x36)	256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)	256
TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x31)	128
TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x30)	128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)	128
TLS_RSA_WITH_RC4_128_SHA (0x5)	128
TLS_RSA_WITH_RC4_128_MD5 (0x4)	128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)	112

BUG=405091

Change-Id: Ib8dd28469414a4eb496788a57a215e7e21f8c37f
Reviewed-on: https://boringssl-review.googlesource.com/1559
Reviewed-by: Adam Langley <agl@google.com>
3 files changed
tree: 07677c04d3622c68944003f23db431091a4e3225
  1. crypto/
  2. doc/
  3. include/
  4. ssl/
  5. tool/
  6. util/
  7. .clang-format
  8. .gitignore
  9. BUILDING
  10. CMakeLists.txt