Skip to content

Commit

Permalink
Update ciphers in AppleTLS
Browse files Browse the repository at this point in the history 
Also enable fast start while at it
  • Loading branch information
@nmaier
nmaier committed Mar 3, 2016
1 parent ba7315b commit fc490ac
Showing 1 changed file with 25 additions and 5 deletions.
30 changes: 25 additions & 5 deletions src/AppleTLSSession.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,9 +105,10 @@ static struct {
SSLCipherSuite suite;
const char* name;
} kSuites[] = {
// From CipherSuite.h (10.9)
// From CipherSuite.h (10.11)
SUITE(SSL_NULL_WITH_NULL_NULL, 0x0000),
SUITE(SSL_RSA_WITH_NULL_MD5, 0x0001), SUITE(SSL_RSA_WITH_NULL_SHA, 0x0002),
SUITE(SSL_RSA_WITH_NULL_MD5, 0x0001),
SUITE(SSL_RSA_WITH_NULL_SHA, 0x0002),
SUITE(SSL_RSA_EXPORT_WITH_RC4_40_MD5, 0x0003),
SUITE(SSL_RSA_WITH_RC4_128_MD5, 0x0004),
SUITE(SSL_RSA_WITH_RC4_128_SHA, 0x0005),
Expand Down Expand Up @@ -173,17 +174,28 @@ static struct {
SUITE(TLS_ECDH_anon_WITH_AES_128_CBC_SHA, 0xC018),
SUITE(TLS_ECDH_anon_WITH_AES_256_CBC_SHA, 0xC019),
SUITE(TLS_NULL_WITH_NULL_NULL, 0x0000),
SUITE(TLS_RSA_WITH_NULL_MD5, 0x0001), SUITE(TLS_RSA_WITH_NULL_SHA, 0x0002),
SUITE(TLS_RSA_WITH_NULL_MD5, 0x0001),
SUITE(TLS_RSA_WITH_NULL_SHA, 0x0002),
SUITE(TLS_RSA_WITH_RC4_128_MD5, 0x0004),
SUITE(TLS_RSA_WITH_RC4_128_SHA, 0x0005),
SUITE(TLS_RSA_WITH_3DES_EDE_CBC_SHA, 0x000A),
SUITE(TLS_RSA_WITH_AES_128_CBC_SHA, 0x002F),
SUITE(TLS_RSA_WITH_AES_256_CBC_SHA, 0x0035),
SUITE(TLS_RSA_WITH_NULL_SHA256, 0x003B),
SUITE(TLS_RSA_WITH_AES_128_CBC_SHA256, 0x003C),
SUITE(TLS_RSA_WITH_AES_256_CBC_SHA256, 0x003D),
SUITE(TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA, 0x000D),
SUITE(TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA, 0x0010),
SUITE(TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 0x0013),
SUITE(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 0x0016),
SUITE(TLS_DH_DSS_WITH_AES_128_CBC_SHA, 0x0030),
SUITE(TLS_DH_RSA_WITH_AES_128_CBC_SHA, 0x0031),
SUITE(TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 0x0032),
SUITE(TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 0x0033),
SUITE(TLS_DH_DSS_WITH_AES_256_CBC_SHA, 0x0036),
SUITE(TLS_DH_RSA_WITH_AES_256_CBC_SHA, 0x0037),
SUITE(TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 0x0038),
SUITE(TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 0x0039),
SUITE(TLS_DH_DSS_WITH_AES_128_CBC_SHA256, 0x003E),
SUITE(TLS_DH_RSA_WITH_AES_128_CBC_SHA256, 0x003F),
SUITE(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, 0x0040),
Expand All @@ -194,6 +206,8 @@ static struct {
SUITE(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, 0x006B),
SUITE(TLS_DH_anon_WITH_RC4_128_MD5, 0x0018),
SUITE(TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, 0x001B),
SUITE(TLS_DH_anon_WITH_AES_128_CBC_SHA, 0x0034),
SUITE(TLS_DH_anon_WITH_AES_256_CBC_SHA, 0x003A),
SUITE(TLS_DH_anon_WITH_AES_128_CBC_SHA256, 0x006C),
SUITE(TLS_DH_anon_WITH_AES_256_CBC_SHA256, 0x006D),
SUITE(TLS_PSK_WITH_RC4_128_SHA, 0x008A),
Expand Down Expand Up @@ -262,7 +276,8 @@ static struct {
SUITE(SSL_RSA_WITH_IDEA_CBC_MD5, 0xFF81),
SUITE(SSL_RSA_WITH_DES_CBC_MD5, 0xFF82),
SUITE(SSL_RSA_WITH_3DES_EDE_CBC_MD5, 0xFF83),
SUITE(SSL_NO_SUCH_CIPHERSUITE, 0xFFFF)};
SUITE(SSL_NO_SUCH_CIPHERSUITE, 0xFFFF)
};
#undef SUITE

static inline std::string suiteToString(const SSLCipherSuite suite)
Expand All @@ -280,7 +295,7 @@ static inline std::string suiteToString(const SSLCipherSuite suite)
}

static const char* kBlocked[] = {"NULL", "anon", "MD5", "EXPORT", "DES",
"IDEA", "NO_SUCH", "EMPTY", "PSK"};
"IDEA", "NO_SUCH", "PSK"};

static inline bool isBlockedSuite(SSLCipherSuite suite)
{
Expand Down Expand Up @@ -404,6 +419,11 @@ AppleTLSSession::AppleTLSSession(AppleTLSContext* ctx)
(SSLSessionOption)0x4, // kSSLSessionOptionSendOneByteRecord
#endif
true);
// False Start, if available
#if defined(__MAC_10_9)
(void)SSLSetSessionOption(sslCtx_, kSSLSessionOptionFalseStart, true);
#endif


#if defined(__MAC_10_8)
if (!ctx->getVerifyPeer()) {
Expand Down

0 comments on commit fc490ac

Please sign in to comment.