From 330d7f53f7890c0fbafa5b4769ce4ef23e734659 Mon Sep 17 00:00:00 2001 From: Denys Vlasenko Date: Sun, 25 Nov 2018 17:27:48 +0100 Subject: tls: add a comment on expanding list of supported ciphers Signed-off-by: Denys Vlasenko --- networking/tls.c | 37 ++++++++++++++++++++++++++++++------- 1 file changed, 30 insertions(+), 7 deletions(-) (limited to 'networking') diff --git a/networking/tls.c b/networking/tls.c index 9833a0a..e64e84f 100644 --- a/networking/tls.c +++ b/networking/tls.c @@ -50,17 +50,39 @@ // ok: openssl s_client -connect cdn.kernel.org:443 -debug -tls1_2 -no_tls1 -no_tls1_1 -cipher AES128-GCM-SHA256 // ok: openssl s_client -connect cdn.kernel.org:443 -debug -tls1_2 -no_tls1 -no_tls1_1 -cipher AES128-SHA // (TLS_RSA_WITH_AES_128_CBC_SHA - in TLS 1.2 it's mandated to be always supported) -#define CIPHER_ID1 TLS_RSA_WITH_AES_256_CBC_SHA256 // no SERVER_KEY_EXCHANGE from peer +#define CIPHER_ID1 TLS_RSA_WITH_AES_256_CBC_SHA256 //0x003D // Works with "wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.9.5.tar.xz" -#define CIPHER_ID2 TLS_RSA_WITH_AES_128_CBC_SHA +#define CIPHER_ID2 TLS_RSA_WITH_AES_128_CBC_SHA //0x003C // bug #11456: // ftp.openbsd.org only supports ECDHE-RSA-AESnnn-GCM-SHAnnn or ECDHE-RSA-CHACHA20-POLY1305 -#define CIPHER_ID3 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +#define CIPHER_ID3 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 //0xC02F // host is.gd accepts only ECDHE-ECDSA-foo (the simplest which works: ECDHE-ECDSA-AES128-SHA 0xC009) -#define CIPHER_ID4 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA +#define CIPHER_ID4 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA //0xC009 #define NUM_CIPHERS 4 +//TODO: we can support all these: +// TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C +// TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D +// TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C +// TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D +// TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009 +// TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00A +// TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013 +// TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014 +// TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 +////TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024 - can't do SHA384 yet +// TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027 +////TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028 - can't do SHA384 yet +// TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B +// TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C +// TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F +// TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030 +//possibly these too: +// TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 0xC035 +// TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 0xC036 +// TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 0xC037 +////TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 0xC038 - can't do SHA384 yet #define TLS_DEBUG 0 @@ -142,6 +164,10 @@ #define TLS_DHE_PSK_WITH_AES_128_CBC_SHA 0x0090 /* 144 */ #define TLS_DHE_PSK_WITH_AES_256_CBC_SHA 0x0091 /* 145 */ #define TLS_RSA_WITH_SEED_CBC_SHA 0x0096 /* 150 */ +#define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C /*TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD */ +#define TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D /*TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD */ +#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E /*TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD */ +#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009F /*TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD */ #define TLS_PSK_WITH_AES_128_CBC_SHA256 0x00AE /* 174 */ #define TLS_PSK_WITH_AES_256_CBC_SHA384 0x00AF /* 175 */ #define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xC004 /* 49156 */ @@ -161,10 +187,7 @@ #define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028 /*TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 */ #define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 0xC029 /* 49193 */ #define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 0xC02A /* 49194 */ - /* RFC 5288 "AES Galois Counter Mode (GCM) Cipher Suites for TLS" */ -#define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C /*TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD */ -#define TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D /*TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD */ #define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B /*TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD */ #define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C /*TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD */ #define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D /* 49197 */ -- cgit v1.1