author | chegar |
Thu, 17 Oct 2019 20:54:25 +0100 | |
branch | datagramsocketimpl-branch |
changeset 58679 | 9c3209ff7550 |
parent 58678 | 9cf78a70fa4f |
parent 57718 | a93b7b28f644 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
2 |
* Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.ssl; |
|
27 |
||
50768 | 28 |
import java.util.ArrayList; |
29 |
import java.util.Arrays; |
|
30 |
import java.util.Collection; |
|
31 |
import java.util.Collections; |
|
32 |
import java.util.LinkedList; |
|
33 |
import java.util.List; |
|
34 |
import static sun.security.ssl.CipherSuite.HashAlg.*; |
|
2 | 35 |
import static sun.security.ssl.CipherSuite.KeyExchange.*; |
29488 | 36 |
import static sun.security.ssl.CipherSuite.MacAlg.*; |
50768 | 37 |
import static sun.security.ssl.SSLCipher.*; |
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
38 |
import sun.security.ssl.NamedGroup.NamedGroupSpec; |
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
39 |
import static sun.security.ssl.NamedGroup.NamedGroupSpec.*; |
2 | 40 |
|
41 |
/** |
|
50768 | 42 |
* Enum for SSL/(D)TLS cipher suites. |
2 | 43 |
* |
50768 | 44 |
* Please refer to the "TLS Cipher Suite Registry" section for more details |
45 |
* about each cipher suite: |
|
46 |
* https://www.iana.org/assignments/tls-parameters/tls-parameters.xml |
|
2 | 47 |
*/ |
50768 | 48 |
enum CipherSuite { |
49 |
// |
|
50 |
// in preference order |
|
51 |
// |
|
52 |
||
53 |
// Definition of the CipherSuites that are enabled by default. |
|
54 |
// |
|
55 |
// They are listed in preference order, most preferred first, using |
|
56 |
// the following criteria: |
|
57 |
// 1. Prefer Suite B compliant cipher suites, see RFC6460 (To be |
|
58 |
// changed later, see below). |
|
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
59 |
// 2. Prefer forward secrecy cipher suites. |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
60 |
// 3. Prefer the stronger bulk cipher, in the order of AES_256(GCM), |
50768 | 61 |
// AES_128(GCM), AES_256, AES_128, 3DES-EDE. |
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
62 |
// 4. Prefer the stronger MAC algorithm, in the order of SHA384, |
50768 | 63 |
// SHA256, SHA, MD5. |
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
64 |
// 5. Prefer the better performance of key exchange and digital |
50768 | 65 |
// signature algorithm, in the order of ECDHE-ECDSA, ECDHE-RSA, |
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
66 |
// DHE-RSA, DHE-DSS, ECDH-ECDSA, ECDH-RSA, RSA. |
50768 | 67 |
|
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
68 |
// TLS 1.3 cipher suites. |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
69 |
TLS_AES_256_GCM_SHA384( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
70 |
0x1302, true, "TLS_AES_256_GCM_SHA384", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
71 |
ProtocolVersion.PROTOCOLS_OF_13, B_AES_256_GCM_IV, H_SHA384), |
50768 | 72 |
TLS_AES_128_GCM_SHA256( |
73 |
0x1301, true, "TLS_AES_128_GCM_SHA256", |
|
74 |
ProtocolVersion.PROTOCOLS_OF_13, B_AES_128_GCM_IV, H_SHA256), |
|
51773 | 75 |
TLS_CHACHA20_POLY1305_SHA256( |
76 |
0x1303, true, "TLS_CHACHA20_POLY1305_SHA256", |
|
77 |
ProtocolVersion.PROTOCOLS_OF_13, B_CC20_P1305, H_SHA256), |
|
50768 | 78 |
|
79 |
// Suite B compliant cipher suites, see RFC 6460. |
|
80 |
// |
|
81 |
// Note that, at present this provider is not Suite B compliant. The |
|
82 |
// preference order of the GCM cipher suites does not follow the spec |
|
83 |
// of RFC 6460. In this section, only two cipher suites are listed |
|
84 |
// so that applications can make use of Suite-B compliant cipher |
|
85 |
// suite firstly. |
|
86 |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384( |
|
87 |
0xC02C, true, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "", |
|
88 |
ProtocolVersion.PROTOCOLS_OF_12, |
|
89 |
K_ECDHE_ECDSA, B_AES_256_GCM, M_NULL, H_SHA384), |
|
90 |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256( |
|
91 |
0xC02B, true, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "", |
|
92 |
ProtocolVersion.PROTOCOLS_OF_12, |
|
93 |
K_ECDHE_ECDSA, B_AES_128_GCM, M_NULL, H_SHA256), |
|
94 |
||
51773 | 95 |
// Not suite B, but we want it to position the suite early in the list |
96 |
// of 1.2 suites. |
|
97 |
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256( |
|
98 |
0xCCA9, true, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "", |
|
99 |
ProtocolVersion.PROTOCOLS_OF_12, |
|
100 |
K_ECDHE_ECDSA, B_CC20_P1305, M_NULL, H_SHA256), |
|
101 |
||
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
102 |
// |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
103 |
// Forward screcy cipher suites. |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
104 |
// |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
105 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
106 |
// AES_256(GCM) - ECDHE |
50768 | 107 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384( |
108 |
0xC030, true, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "", |
|
109 |
ProtocolVersion.PROTOCOLS_OF_12, |
|
110 |
K_ECDHE_RSA, B_AES_256_GCM, M_NULL, H_SHA384), |
|
51773 | 111 |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256( |
112 |
0xCCA8, true, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "", |
|
113 |
ProtocolVersion.PROTOCOLS_OF_12, |
|
114 |
K_ECDHE_RSA, B_CC20_P1305, M_NULL, H_SHA256), |
|
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
115 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
116 |
// AES_128(GCM) - ECDHE |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
117 |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
118 |
0xC02F, true, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "", |
50768 | 119 |
ProtocolVersion.PROTOCOLS_OF_12, |
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
120 |
K_ECDHE_RSA, B_AES_128_GCM, M_NULL, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
121 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
122 |
// AES_256(GCM) - DHE |
50768 | 123 |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384( |
124 |
0x009F, true, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "", |
|
125 |
ProtocolVersion.PROTOCOLS_OF_12, |
|
126 |
K_DHE_RSA, B_AES_256_GCM, M_NULL, H_SHA384), |
|
51773 | 127 |
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256( |
128 |
0xCCAA, true, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "", |
|
129 |
ProtocolVersion.PROTOCOLS_OF_12, |
|
130 |
K_DHE_RSA, B_CC20_P1305, M_NULL, H_SHA256), |
|
50768 | 131 |
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384( |
132 |
0x00A3, true, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", "", |
|
133 |
ProtocolVersion.PROTOCOLS_OF_12, |
|
134 |
K_DHE_DSS, B_AES_256_GCM, M_NULL, H_SHA384), |
|
135 |
||
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
136 |
// AES_128(GCM) - DHE |
50768 | 137 |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256( |
138 |
0x009E, true, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "", |
|
139 |
ProtocolVersion.PROTOCOLS_OF_12, |
|
140 |
K_DHE_RSA, B_AES_128_GCM, M_NULL, H_SHA256), |
|
141 |
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256( |
|
142 |
0x00A2, true, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", "", |
|
143 |
ProtocolVersion.PROTOCOLS_OF_12, |
|
144 |
K_DHE_DSS, B_AES_128_GCM, M_NULL, H_SHA256), |
|
145 |
||
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
146 |
// AES_256(CBC) - ECDHE |
50768 | 147 |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384( |
148 |
0xC024, true, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "", |
|
149 |
ProtocolVersion.PROTOCOLS_OF_12, |
|
150 |
K_ECDHE_ECDSA, B_AES_256, M_SHA384, H_SHA384), |
|
151 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384( |
|
152 |
0xC028, true, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "", |
|
153 |
ProtocolVersion.PROTOCOLS_OF_12, |
|
154 |
K_ECDHE_RSA, B_AES_256, M_SHA384, H_SHA384), |
|
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
155 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
156 |
// AES_128(CBC) - ECDHE |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
157 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
158 |
0xC023, true, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "", |
50768 | 159 |
ProtocolVersion.PROTOCOLS_OF_12, |
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
160 |
K_ECDHE_ECDSA, B_AES_128, M_SHA256, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
161 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
162 |
0xC027, true, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "", |
50768 | 163 |
ProtocolVersion.PROTOCOLS_OF_12, |
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
164 |
K_ECDHE_RSA, B_AES_128, M_SHA256, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
165 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
166 |
// AES_256(CBC) - DHE |
50768 | 167 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256( |
168 |
0x006B, true, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "", |
|
169 |
ProtocolVersion.PROTOCOLS_OF_12, |
|
170 |
K_DHE_RSA, B_AES_256, M_SHA256, H_SHA256), |
|
171 |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256( |
|
172 |
0x006A, true, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", "", |
|
173 |
ProtocolVersion.PROTOCOLS_OF_12, |
|
174 |
K_DHE_DSS, B_AES_256, M_SHA256, H_SHA256), |
|
175 |
||
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
176 |
// AES_128(CBC) - DHE |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
177 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
178 |
0x0067, true, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
179 |
ProtocolVersion.PROTOCOLS_OF_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
180 |
K_DHE_RSA, B_AES_128, M_SHA256, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
181 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
182 |
0x0040, true, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
183 |
ProtocolVersion.PROTOCOLS_OF_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
184 |
K_DHE_DSS, B_AES_128, M_SHA256, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
185 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
186 |
// |
55353 | 187 |
// not forward secret cipher suites. |
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
188 |
// |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
189 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
190 |
// AES_256(GCM) |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
191 |
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
192 |
0xC02E, true, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
193 |
ProtocolVersion.PROTOCOLS_OF_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
194 |
K_ECDH_ECDSA, B_AES_256_GCM, M_NULL, H_SHA384), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
195 |
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
196 |
0xC032, true, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
197 |
ProtocolVersion.PROTOCOLS_OF_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
198 |
K_ECDH_RSA, B_AES_256_GCM, M_NULL, H_SHA384), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
199 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
200 |
// AES_128(GCM) |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
201 |
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
202 |
0xC02D, true, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
203 |
ProtocolVersion.PROTOCOLS_OF_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
204 |
K_ECDH_ECDSA, B_AES_128_GCM, M_NULL, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
205 |
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
206 |
0xC031, true, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
207 |
ProtocolVersion.PROTOCOLS_OF_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
208 |
K_ECDH_RSA, B_AES_128_GCM, M_NULL, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
209 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
210 |
// AES_256(CBC) |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
211 |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
212 |
0xC026, true, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
213 |
ProtocolVersion.PROTOCOLS_OF_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
214 |
K_ECDH_ECDSA, B_AES_256, M_SHA384, H_SHA384), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
215 |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
216 |
0xC02A, true, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
217 |
ProtocolVersion.PROTOCOLS_OF_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
218 |
K_ECDH_RSA, B_AES_256, M_SHA384, H_SHA384), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
219 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
220 |
// AES_128(CBC) |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
221 |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
222 |
0xC025, true, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
223 |
ProtocolVersion.PROTOCOLS_OF_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
224 |
K_ECDH_ECDSA, B_AES_128, M_SHA256, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
225 |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
226 |
0xC029, true, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
227 |
ProtocolVersion.PROTOCOLS_OF_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
228 |
K_ECDH_RSA, B_AES_128, M_SHA256, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
229 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
230 |
// |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
231 |
// Legacy, used for compatibility |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
232 |
// |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
233 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
234 |
// AES_256(CBC) - ECDHE - Using SHA |
50768 | 235 |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA( |
236 |
0xC00A, true, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "", |
|
237 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
238 |
K_ECDHE_ECDSA, B_AES_256, M_SHA, H_SHA256), |
|
239 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA( |
|
240 |
0xC014, true, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "", |
|
241 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
242 |
K_ECDHE_RSA, B_AES_256, M_SHA, H_SHA256), |
|
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
243 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
244 |
// AES_128(CBC) - ECDHE - using SHA |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
245 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
246 |
0xC009, true, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "", |
50768 | 247 |
ProtocolVersion.PROTOCOLS_TO_12, |
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
248 |
K_ECDHE_ECDSA, B_AES_128, M_SHA, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
249 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
250 |
0xC013, true, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "", |
50768 | 251 |
ProtocolVersion.PROTOCOLS_TO_12, |
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
252 |
K_ECDHE_RSA, B_AES_128, M_SHA, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
253 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
254 |
// AES_256(CBC) - DHE - Using SHA |
50768 | 255 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA( |
256 |
0x0039, true, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "", |
|
257 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
258 |
K_DHE_RSA, B_AES_256, M_SHA, H_SHA256), |
|
259 |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA( |
|
260 |
0x0038, true, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", "", |
|
261 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
262 |
K_DHE_DSS, B_AES_256, M_SHA, H_SHA256), |
|
2 | 263 |
|
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
264 |
// AES_128(CBC) - DHE - using SHA |
50768 | 265 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA( |
266 |
0x0033, true, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "", |
|
267 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
268 |
K_DHE_RSA, B_AES_128, M_SHA, H_SHA256), |
|
269 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA( |
|
270 |
0x0032, true, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "", |
|
271 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
272 |
K_DHE_DSS, B_AES_128, M_SHA, H_SHA256), |
|
273 |
||
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
274 |
// AES_256(CBC) - using SHA, not forward screcy |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
275 |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
276 |
0xC005, true, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
277 |
ProtocolVersion.PROTOCOLS_TO_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
278 |
K_ECDH_ECDSA, B_AES_256, M_SHA, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
279 |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
280 |
0xC00F, true, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
281 |
ProtocolVersion.PROTOCOLS_TO_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
282 |
K_ECDH_RSA, B_AES_256, M_SHA, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
283 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
284 |
// AES_128(CBC) - using SHA, not forward screcy |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
285 |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
286 |
0xC004, true, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
287 |
ProtocolVersion.PROTOCOLS_TO_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
288 |
K_ECDH_ECDSA, B_AES_128, M_SHA, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
289 |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
290 |
0xC00E, true, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
291 |
ProtocolVersion.PROTOCOLS_TO_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
292 |
K_ECDH_RSA, B_AES_128, M_SHA, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
293 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
294 |
// |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
295 |
// deprecated, used for compatibility |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
296 |
// |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
297 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
298 |
// RSA, AES_256(GCM) |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
299 |
TLS_RSA_WITH_AES_256_GCM_SHA384( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
300 |
0x009D, true, "TLS_RSA_WITH_AES_256_GCM_SHA384", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
301 |
ProtocolVersion.PROTOCOLS_OF_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
302 |
K_RSA, B_AES_256_GCM, M_NULL, H_SHA384), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
303 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
304 |
// RSA, AES_128(GCM) |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
305 |
TLS_RSA_WITH_AES_128_GCM_SHA256( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
306 |
0x009C, true, "TLS_RSA_WITH_AES_128_GCM_SHA256", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
307 |
ProtocolVersion.PROTOCOLS_OF_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
308 |
K_RSA, B_AES_128_GCM, M_NULL, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
309 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
310 |
// RSA, AES_256(CBC) |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
311 |
TLS_RSA_WITH_AES_256_CBC_SHA256( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
312 |
0x003D, true, "TLS_RSA_WITH_AES_256_CBC_SHA256", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
313 |
ProtocolVersion.PROTOCOLS_OF_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
314 |
K_RSA, B_AES_256, M_SHA256, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
315 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
316 |
// RSA, AES_128(CBC) |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
317 |
TLS_RSA_WITH_AES_128_CBC_SHA256( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
318 |
0x003C, true, "TLS_RSA_WITH_AES_128_CBC_SHA256", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
319 |
ProtocolVersion.PROTOCOLS_OF_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
320 |
K_RSA, B_AES_128, M_SHA256, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
321 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
322 |
// RSA, AES_256(CBC) - using SHA, not forward screcy |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
323 |
TLS_RSA_WITH_AES_256_CBC_SHA( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
324 |
0x0035, true, "TLS_RSA_WITH_AES_256_CBC_SHA", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
325 |
ProtocolVersion.PROTOCOLS_TO_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
326 |
K_RSA, B_AES_256, M_SHA, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
327 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
328 |
// RSA, AES_128(CBC) - using SHA, not forward screcy |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
329 |
TLS_RSA_WITH_AES_128_CBC_SHA( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
330 |
0x002F, true, "TLS_RSA_WITH_AES_128_CBC_SHA", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
331 |
ProtocolVersion.PROTOCOLS_TO_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
332 |
K_RSA, B_AES_128, M_SHA, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
333 |
|
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
334 |
// 3DES_EDE, forward secrecy. |
50768 | 335 |
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA( |
336 |
0xC008, true, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", "", |
|
337 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
338 |
K_ECDHE_ECDSA, B_3DES, M_SHA, H_SHA256), |
|
339 |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA( |
|
340 |
0xC012, true, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", "", |
|
341 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
342 |
K_ECDHE_RSA, B_3DES, M_SHA, H_SHA256), |
|
343 |
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA( |
|
344 |
0x0016, true, "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", |
|
345 |
"TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", |
|
346 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
347 |
K_DHE_RSA, B_3DES, M_SHA, H_SHA256), |
|
348 |
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA( |
|
349 |
0x0013, true, "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", |
|
350 |
"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", |
|
351 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
352 |
K_DHE_DSS, B_3DES, M_SHA, H_SHA256), |
|
353 |
||
54430
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
354 |
// 3DES_EDE, not forward secrecy. |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
355 |
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
356 |
0xC003, true, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
357 |
ProtocolVersion.PROTOCOLS_TO_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
358 |
K_ECDH_ECDSA, B_3DES, M_SHA, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
359 |
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
360 |
0xC00D, true, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", "", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
361 |
ProtocolVersion.PROTOCOLS_TO_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
362 |
K_ECDH_RSA, B_3DES, M_SHA, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
363 |
SSL_RSA_WITH_3DES_EDE_CBC_SHA( |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
364 |
0x000A, true, "SSL_RSA_WITH_3DES_EDE_CBC_SHA", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
365 |
"TLS_RSA_WITH_3DES_EDE_CBC_SHA", |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
366 |
ProtocolVersion.PROTOCOLS_TO_12, |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
367 |
K_RSA, B_3DES, M_SHA, H_SHA256), |
fb25cd198a10
8163326: Update the default enabled cipher suites preference
xuelei
parents:
51773
diff
changeset
|
368 |
|
50768 | 369 |
// Renegotiation protection request Signalling Cipher Suite Value (SCSV). |
370 |
TLS_EMPTY_RENEGOTIATION_INFO_SCSV( // RFC 5746, TLS 1.2 and prior |
|
371 |
0x00FF, true, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", "", |
|
372 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
373 |
K_SCSV, B_NULL, M_NULL, H_NONE), |
|
2 | 374 |
|
50768 | 375 |
// Definition of the CipherSuites that are supported but not enabled |
376 |
// by default. |
|
377 |
// They are listed in preference order, preferred first, using the |
|
378 |
// following criteria: |
|
379 |
// 1. If a cipher suite has been obsoleted, we put it at the end of |
|
380 |
// the list. |
|
381 |
// 2. Prefer the stronger bulk cipher, in the order of AES_256, |
|
382 |
// AES_128, 3DES-EDE, RC-4, DES, DES40, RC4_40, NULL. |
|
383 |
// 3. Prefer the stronger MAC algorithm, in the order of SHA384, |
|
384 |
// SHA256, SHA, MD5. |
|
385 |
// 4. Prefer the better performance of key exchange and digital |
|
386 |
// signature algorithm, in the order of ECDHE-ECDSA, ECDHE-RSA, |
|
387 |
// RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS, anonymous. |
|
388 |
TLS_DH_anon_WITH_AES_256_GCM_SHA384( |
|
389 |
0x00A7, false, "TLS_DH_anon_WITH_AES_256_GCM_SHA384", "", |
|
390 |
ProtocolVersion.PROTOCOLS_OF_12, |
|
391 |
K_DH_ANON, B_AES_256_GCM, M_NULL, H_SHA384), |
|
392 |
TLS_DH_anon_WITH_AES_128_GCM_SHA256( |
|
393 |
0x00A6, false, "TLS_DH_anon_WITH_AES_128_GCM_SHA256", "", |
|
394 |
ProtocolVersion.PROTOCOLS_OF_12, |
|
395 |
K_DH_ANON, B_AES_128_GCM, M_NULL, H_SHA256), |
|
396 |
TLS_DH_anon_WITH_AES_256_CBC_SHA256( |
|
397 |
0x006D, false, "TLS_DH_anon_WITH_AES_256_CBC_SHA256", "", |
|
398 |
ProtocolVersion.PROTOCOLS_OF_12, |
|
399 |
K_DH_ANON, B_AES_256, M_SHA256, H_SHA256), |
|
400 |
TLS_ECDH_anon_WITH_AES_256_CBC_SHA( |
|
401 |
0xC019, false, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA", "", |
|
402 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
403 |
K_ECDH_ANON, B_AES_256, M_SHA, H_SHA256), |
|
404 |
TLS_DH_anon_WITH_AES_256_CBC_SHA( |
|
405 |
0x003A, false, "TLS_DH_anon_WITH_AES_256_CBC_SHA", "", |
|
406 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
407 |
K_DH_ANON, B_AES_256, M_SHA, H_SHA256), |
|
408 |
TLS_DH_anon_WITH_AES_128_CBC_SHA256( |
|
409 |
0x006C, false, "TLS_DH_anon_WITH_AES_128_CBC_SHA256", "", |
|
410 |
ProtocolVersion.PROTOCOLS_OF_12, |
|
411 |
K_DH_ANON, B_AES_128, M_SHA256, H_SHA256), |
|
412 |
TLS_ECDH_anon_WITH_AES_128_CBC_SHA( |
|
413 |
0xC018, false, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", "", |
|
414 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
415 |
K_ECDH_ANON, B_AES_128, M_SHA, H_SHA256), |
|
416 |
TLS_DH_anon_WITH_AES_128_CBC_SHA( |
|
417 |
0x0034, false, "TLS_DH_anon_WITH_AES_128_CBC_SHA", "", |
|
418 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
419 |
K_DH_ANON, B_AES_128, M_SHA, H_SHA256), |
|
420 |
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA( |
|
421 |
0xC017, false, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", "", |
|
422 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
423 |
K_ECDH_ANON, B_3DES, M_SHA, H_SHA256), |
|
424 |
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA( |
|
425 |
0x001B, false, "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA", |
|
426 |
"TLS_DH_anon_WITH_3DES_EDE_CBC_SHA", |
|
427 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
428 |
K_DH_ANON, B_3DES, M_SHA, H_SHA256), |
|
429 |
||
430 |
// RC4 |
|
431 |
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA( |
|
432 |
0xC007, false, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "", |
|
433 |
ProtocolVersion.PROTOCOLS_TO_TLS12, |
|
434 |
K_ECDHE_ECDSA, B_RC4_128, M_SHA, H_SHA256), |
|
435 |
TLS_ECDHE_RSA_WITH_RC4_128_SHA( |
|
436 |
0xC011, false, "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "", |
|
437 |
ProtocolVersion.PROTOCOLS_TO_TLS12, |
|
438 |
K_ECDHE_RSA, B_RC4_128, M_SHA, H_SHA256), |
|
439 |
SSL_RSA_WITH_RC4_128_SHA( |
|
440 |
0x0005, false, "SSL_RSA_WITH_RC4_128_SHA", |
|
441 |
"TLS_RSA_WITH_RC4_128_SHA", |
|
442 |
ProtocolVersion.PROTOCOLS_TO_TLS12, |
|
443 |
K_RSA, B_RC4_128, M_SHA, H_SHA256), |
|
444 |
TLS_ECDH_ECDSA_WITH_RC4_128_SHA( |
|
445 |
0xC002, false, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", "", |
|
446 |
ProtocolVersion.PROTOCOLS_TO_TLS12, |
|
447 |
K_ECDH_ECDSA, B_RC4_128, M_SHA, H_SHA256), |
|
448 |
TLS_ECDH_RSA_WITH_RC4_128_SHA( |
|
449 |
0xC00C, false, "TLS_ECDH_RSA_WITH_RC4_128_SHA", "", |
|
450 |
ProtocolVersion.PROTOCOLS_TO_TLS12, |
|
451 |
K_ECDH_RSA, B_RC4_128, M_SHA, H_SHA256), |
|
452 |
SSL_RSA_WITH_RC4_128_MD5( |
|
453 |
0x0004, false, "SSL_RSA_WITH_RC4_128_MD5", |
|
454 |
"TLS_RSA_WITH_RC4_128_MD5", |
|
455 |
ProtocolVersion.PROTOCOLS_TO_TLS12, |
|
456 |
K_RSA, B_RC4_128, M_MD5, H_SHA256), |
|
457 |
TLS_ECDH_anon_WITH_RC4_128_SHA( |
|
458 |
0xC016, false, "TLS_ECDH_anon_WITH_RC4_128_SHA", "", |
|
459 |
ProtocolVersion.PROTOCOLS_TO_TLS12, |
|
460 |
K_ECDH_ANON, B_RC4_128, M_SHA, H_SHA256), |
|
461 |
SSL_DH_anon_WITH_RC4_128_MD5( |
|
462 |
0x0018, false, "SSL_DH_anon_WITH_RC4_128_MD5", |
|
463 |
"TLS_DH_anon_WITH_RC4_128_MD5", |
|
464 |
ProtocolVersion.PROTOCOLS_TO_TLS12, |
|
465 |
K_DH_ANON, B_RC4_128, M_MD5, H_SHA256), |
|
466 |
||
467 |
// weak cipher suites obsoleted in TLS 1.2 [RFC 5246] |
|
468 |
SSL_RSA_WITH_DES_CBC_SHA( |
|
469 |
0x0009, false, "SSL_RSA_WITH_DES_CBC_SHA", |
|
470 |
"TLS_RSA_WITH_DES_CBC_SHA", |
|
471 |
ProtocolVersion.PROTOCOLS_TO_11, |
|
472 |
K_RSA, B_DES, M_SHA, H_NONE), |
|
473 |
SSL_DHE_RSA_WITH_DES_CBC_SHA( |
|
474 |
0x0015, false, "SSL_DHE_RSA_WITH_DES_CBC_SHA", |
|
475 |
"TLS_DHE_RSA_WITH_DES_CBC_SHA", |
|
476 |
ProtocolVersion.PROTOCOLS_TO_11, |
|
477 |
K_DHE_RSA, B_DES, M_SHA, H_NONE), |
|
478 |
SSL_DHE_DSS_WITH_DES_CBC_SHA( |
|
479 |
0x0012, false, "SSL_DHE_DSS_WITH_DES_CBC_SHA", |
|
480 |
"TLS_DHE_DSS_WITH_DES_CBC_SHA", |
|
481 |
ProtocolVersion.PROTOCOLS_TO_11, |
|
482 |
K_DHE_DSS, B_DES, M_SHA, H_NONE), |
|
483 |
SSL_DH_anon_WITH_DES_CBC_SHA( |
|
484 |
0x001A, false, "SSL_DH_anon_WITH_DES_CBC_SHA", |
|
485 |
"TLS_DH_anon_WITH_DES_CBC_SHA", |
|
486 |
ProtocolVersion.PROTOCOLS_TO_11, |
|
487 |
K_DH_ANON, B_DES, M_SHA, H_NONE), |
|
2 | 488 |
|
50768 | 489 |
// weak cipher suites obsoleted in TLS 1.1 [RFC 4346] |
490 |
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA( |
|
491 |
0x0008, false, "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", |
|
492 |
"TLS_RSA_EXPORT_WITH_DES40_CBC_SHA", |
|
493 |
ProtocolVersion.PROTOCOLS_TO_10, |
|
494 |
K_RSA_EXPORT, B_DES_40, M_SHA, H_NONE), |
|
495 |
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA( |
|
496 |
0x0014, false, "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", |
|
497 |
"TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", |
|
498 |
ProtocolVersion.PROTOCOLS_TO_10, |
|
499 |
K_DHE_RSA_EXPORT, B_DES_40, M_SHA, H_NONE), |
|
500 |
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA( |
|
501 |
0x0011, false, "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", |
|
502 |
"TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", |
|
503 |
ProtocolVersion.PROTOCOLS_TO_10, |
|
504 |
K_DHE_DSS_EXPORT, B_DES_40, M_SHA, H_NONE), |
|
505 |
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA( |
|
506 |
0x0019, false, "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA", |
|
507 |
"TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA", |
|
508 |
ProtocolVersion.PROTOCOLS_TO_10, |
|
509 |
K_DH_ANON_EXPORT, B_DES_40, M_SHA, H_NONE), |
|
510 |
SSL_RSA_EXPORT_WITH_RC4_40_MD5( |
|
511 |
0x0003, false, "SSL_RSA_EXPORT_WITH_RC4_40_MD5", |
|
512 |
"TLS_RSA_EXPORT_WITH_RC4_40_MD5", |
|
513 |
ProtocolVersion.PROTOCOLS_TO_10, |
|
51465 | 514 |
K_RSA_EXPORT, B_RC4_40, M_MD5, H_NONE), |
50768 | 515 |
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5( |
516 |
0x0017, false, "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5", |
|
517 |
"TLS_DH_anon_EXPORT_WITH_RC4_40_MD5", |
|
518 |
ProtocolVersion.PROTOCOLS_TO_10, |
|
51465 | 519 |
K_DH_ANON, B_RC4_40, M_MD5, H_NONE), |
50768 | 520 |
|
521 |
// no traffic encryption cipher suites |
|
522 |
TLS_RSA_WITH_NULL_SHA256( |
|
523 |
0x003B, false, "TLS_RSA_WITH_NULL_SHA256", "", |
|
524 |
ProtocolVersion.PROTOCOLS_OF_12, |
|
525 |
K_RSA, B_NULL, M_SHA256, H_SHA256), |
|
526 |
TLS_ECDHE_ECDSA_WITH_NULL_SHA( |
|
527 |
0xC006, false, "TLS_ECDHE_ECDSA_WITH_NULL_SHA", "", |
|
528 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
529 |
K_ECDHE_ECDSA, B_NULL, M_SHA, H_SHA256), |
|
530 |
TLS_ECDHE_RSA_WITH_NULL_SHA( |
|
531 |
0xC010, false, "TLS_ECDHE_RSA_WITH_NULL_SHA", "", |
|
532 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
533 |
K_ECDHE_RSA, B_NULL, M_SHA, H_SHA256), |
|
534 |
SSL_RSA_WITH_NULL_SHA( |
|
535 |
0x0002, false, "SSL_RSA_WITH_NULL_SHA", |
|
536 |
"TLS_RSA_WITH_NULL_SHA", |
|
537 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
538 |
K_RSA, B_NULL, M_SHA, H_SHA256), |
|
539 |
TLS_ECDH_ECDSA_WITH_NULL_SHA( |
|
540 |
0xC001, false, "TLS_ECDH_ECDSA_WITH_NULL_SHA", "", |
|
541 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
542 |
K_ECDH_ECDSA, B_NULL, M_SHA, H_SHA256), |
|
543 |
TLS_ECDH_RSA_WITH_NULL_SHA( |
|
544 |
0xC00B, false, "TLS_ECDH_RSA_WITH_NULL_SHA", "", |
|
545 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
546 |
K_ECDH_RSA, B_NULL, M_SHA, H_SHA256), |
|
547 |
TLS_ECDH_anon_WITH_NULL_SHA( |
|
548 |
0xC015, false, "TLS_ECDH_anon_WITH_NULL_SHA", "", |
|
549 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
550 |
K_ECDH_ANON, B_NULL, M_SHA, H_SHA256), |
|
551 |
SSL_RSA_WITH_NULL_MD5( |
|
552 |
0x0001, false, "SSL_RSA_WITH_NULL_MD5", |
|
553 |
"TLS_RSA_WITH_NULL_MD5", |
|
554 |
ProtocolVersion.PROTOCOLS_TO_12, |
|
555 |
K_RSA, B_NULL, M_MD5, H_SHA256), |
|
556 |
||
557 |
// Definition of the CipherSuites that are not supported but the names |
|
558 |
// are known. |
|
559 |
TLS_AES_128_CCM_SHA256( // TLS 1.3 |
|
560 |
"TLS_AES_128_CCM_SHA256", 0x1304), |
|
561 |
TLS_AES_128_CCM_8_SHA256( // TLS 1.3 |
|
562 |
"TLS_AES_128_CCM_8_SHA256", 0x1305), |
|
2 | 563 |
|
50768 | 564 |
// remaining unsupported ciphersuites defined in RFC2246. |
565 |
CS_0006("SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5", 0x0006), |
|
566 |
CS_0007("SSL_RSA_WITH_IDEA_CBC_SHA", 0x0007), |
|
567 |
CS_000B("SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA", 0x000b), |
|
568 |
CS_000C("SSL_DH_DSS_WITH_DES_CBC_SHA", 0x000c), |
|
569 |
CS_000D("SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA", 0x000d), |
|
570 |
CS_000E("SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA", 0x000e), |
|
571 |
CS_000F("SSL_DH_RSA_WITH_DES_CBC_SHA", 0x000f), |
|
572 |
CS_0010("SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA", 0x0010), |
|
573 |
||
574 |
// SSL 3.0 Fortezza ciphersuites |
|
575 |
CS_001C("SSL_FORTEZZA_DMS_WITH_NULL_SHA", 0x001c), |
|
576 |
CS_001D("SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA", 0x001d), |
|
577 |
||
578 |
// 1024/56 bit exportable ciphersuites from expired internet draft |
|
579 |
CS_0062("SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA", 0x0062), |
|
580 |
CS_0063("SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA", 0x0063), |
|
581 |
CS_0064("SSL_RSA_EXPORT1024_WITH_RC4_56_SHA", 0x0064), |
|
582 |
CS_0065("SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA", 0x0065), |
|
583 |
CS_0066("SSL_DHE_DSS_WITH_RC4_128_SHA", 0x0066), |
|
584 |
||
585 |
// Netscape old and new SSL 3.0 FIPS ciphersuites |
|
586 |
// see http://www.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html |
|
587 |
CS_FFE0("NETSCAPE_RSA_FIPS_WITH_3DES_EDE_CBC_SHA", 0xffe0), |
|
588 |
CS_FFE1("NETSCAPE_RSA_FIPS_WITH_DES_CBC_SHA", 0xffe1), |
|
589 |
CS_FEFE("SSL_RSA_FIPS_WITH_DES_CBC_SHA", 0xfefe), |
|
590 |
CS_FEFF("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA", 0xfeff), |
|
591 |
||
592 |
// Unsupported Kerberos cipher suites from RFC 2712 |
|
593 |
CS_001E("TLS_KRB5_WITH_DES_CBC_SHA", 0x001E), |
|
594 |
CS_001F("TLS_KRB5_WITH_3DES_EDE_CBC_SHA", 0x001F), |
|
595 |
CS_0020("TLS_KRB5_WITH_RC4_128_SHA", 0x0020), |
|
596 |
CS_0021("TLS_KRB5_WITH_IDEA_CBC_SHA", 0x0021), |
|
597 |
CS_0022("TLS_KRB5_WITH_DES_CBC_MD5", 0x0022), |
|
598 |
CS_0023("TLS_KRB5_WITH_3DES_EDE_CBC_MD5", 0x0023), |
|
599 |
CS_0024("TLS_KRB5_WITH_RC4_128_MD5", 0x0024), |
|
600 |
CS_0025("TLS_KRB5_WITH_IDEA_CBC_MD5", 0x0025), |
|
601 |
CS_0026("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", 0x0026), |
|
602 |
CS_0027("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", 0x0027), |
|
603 |
CS_0028("TLS_KRB5_EXPORT_WITH_RC4_40_SHA", 0x0028), |
|
604 |
CS_0029("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", 0x0029), |
|
605 |
CS_002A("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5", 0x002a), |
|
606 |
CS_002B("TLS_KRB5_EXPORT_WITH_RC4_40_MD5", 0x002B), |
|
607 |
||
608 |
// Unsupported cipher suites from RFC 4162 |
|
609 |
CS_0096("TLS_RSA_WITH_SEED_CBC_SHA", 0x0096), |
|
610 |
CS_0097("TLS_DH_DSS_WITH_SEED_CBC_SHA", 0x0097), |
|
611 |
CS_0098("TLS_DH_RSA_WITH_SEED_CBC_SHA", 0x0098), |
|
612 |
CS_0099("TLS_DHE_DSS_WITH_SEED_CBC_SHA", 0x0099), |
|
613 |
CS_009A("TLS_DHE_RSA_WITH_SEED_CBC_SHA", 0x009a), |
|
614 |
CS_009B("TLS_DH_anon_WITH_SEED_CBC_SHA", 0x009b), |
|
615 |
||
616 |
// Unsupported cipher suites from RFC 4279 |
|
617 |
CS_008A("TLS_PSK_WITH_RC4_128_SHA", 0x008a), |
|
618 |
CS_008B("TLS_PSK_WITH_3DES_EDE_CBC_SHA", 0x008b), |
|
619 |
CS_008C("TLS_PSK_WITH_AES_128_CBC_SHA", 0x008c), |
|
620 |
CS_008D("TLS_PSK_WITH_AES_256_CBC_SHA", 0x008d), |
|
621 |
CS_008E("TLS_DHE_PSK_WITH_RC4_128_SHA", 0x008e), |
|
622 |
CS_008F("TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA", 0x008f), |
|
623 |
CS_0090("TLS_DHE_PSK_WITH_AES_128_CBC_SHA", 0x0090), |
|
624 |
CS_0091("TLS_DHE_PSK_WITH_AES_256_CBC_SHA", 0x0091), |
|
625 |
CS_0092("TLS_RSA_PSK_WITH_RC4_128_SHA", 0x0092), |
|
626 |
CS_0093("TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA", 0x0093), |
|
627 |
CS_0094("TLS_RSA_PSK_WITH_AES_128_CBC_SHA", 0x0094), |
|
628 |
CS_0095("TLS_RSA_PSK_WITH_AES_256_CBC_SHA", 0x0095), |
|
629 |
||
630 |
// Unsupported cipher suites from RFC 4785 |
|
631 |
CS_002C("TLS_PSK_WITH_NULL_SHA", 0x002c), |
|
632 |
CS_002D("TLS_DHE_PSK_WITH_NULL_SHA", 0x002d), |
|
633 |
CS_002E("TLS_RSA_PSK_WITH_NULL_SHA", 0x002e), |
|
634 |
||
635 |
// Unsupported cipher suites from RFC 5246 |
|
636 |
CS_0030("TLS_DH_DSS_WITH_AES_128_CBC_SHA", 0x0030), |
|
637 |
CS_0031("TLS_DH_RSA_WITH_AES_128_CBC_SHA", 0x0031), |
|
638 |
CS_0036("TLS_DH_DSS_WITH_AES_256_CBC_SHA", 0x0036), |
|
639 |
CS_0037("TLS_DH_RSA_WITH_AES_256_CBC_SHA", 0x0037), |
|
640 |
CS_003E("TLS_DH_DSS_WITH_AES_128_CBC_SHA256", 0x003e), |
|
641 |
CS_003F("TLS_DH_RSA_WITH_AES_128_CBC_SHA256", 0x003f), |
|
642 |
CS_0068("TLS_DH_DSS_WITH_AES_256_CBC_SHA256", 0x0068), |
|
643 |
CS_0069("TLS_DH_RSA_WITH_AES_256_CBC_SHA256", 0x0069), |
|
644 |
||
645 |
// Unsupported cipher suites from RFC 5288 |
|
646 |
CS_00A0("TLS_DH_RSA_WITH_AES_128_GCM_SHA256", 0x00a0), |
|
647 |
CS_00A1("TLS_DH_RSA_WITH_AES_256_GCM_SHA384", 0x00a1), |
|
648 |
CS_00A4("TLS_DH_DSS_WITH_AES_128_GCM_SHA256", 0x00a4), |
|
649 |
CS_00A5("TLS_DH_DSS_WITH_AES_256_GCM_SHA384", 0x00a5), |
|
2 | 650 |
|
50768 | 651 |
// Unsupported cipher suites from RFC 5487 |
652 |
CS_00A8("TLS_PSK_WITH_AES_128_GCM_SHA256", 0x00a8), |
|
653 |
CS_00A9("TLS_PSK_WITH_AES_256_GCM_SHA384", 0x00a9), |
|
654 |
CS_00AA("TLS_DHE_PSK_WITH_AES_128_GCM_SHA256", 0x00aa), |
|
655 |
CS_00AB("TLS_DHE_PSK_WITH_AES_256_GCM_SHA384", 0x00ab), |
|
656 |
CS_00AC("TLS_RSA_PSK_WITH_AES_128_GCM_SHA256", 0x00ac), |
|
657 |
CS_00AD("TLS_RSA_PSK_WITH_AES_256_GCM_SHA384", 0x00ad), |
|
658 |
CS_00AE("TLS_PSK_WITH_AES_128_CBC_SHA256", 0x00ae), |
|
659 |
CS_00AF("TLS_PSK_WITH_AES_256_CBC_SHA384", 0x00af), |
|
660 |
CS_00B0("TLS_PSK_WITH_NULL_SHA256", 0x00b0), |
|
661 |
CS_00B1("TLS_PSK_WITH_NULL_SHA384", 0x00b1), |
|
662 |
CS_00B2("TLS_DHE_PSK_WITH_AES_128_CBC_SHA256", 0x00b2), |
|
663 |
CS_00B3("TLS_DHE_PSK_WITH_AES_256_CBC_SHA384", 0x00b3), |
|
664 |
CS_00B4("TLS_DHE_PSK_WITH_NULL_SHA256", 0x00b4), |
|
665 |
CS_00B5("TLS_DHE_PSK_WITH_NULL_SHA384", 0x00b5), |
|
666 |
CS_00B6("TLS_RSA_PSK_WITH_AES_128_CBC_SHA256", 0x00b6), |
|
667 |
CS_00B7("TLS_RSA_PSK_WITH_AES_256_CBC_SHA384", 0x00b7), |
|
668 |
CS_00B8("TLS_RSA_PSK_WITH_NULL_SHA256", 0x00b8), |
|
669 |
CS_00B9("TLS_RSA_PSK_WITH_NULL_SHA384", 0x00b9), |
|
670 |
||
671 |
// Unsupported cipher suites from RFC 5932 |
|
672 |
CS_0041("TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", 0x0041), |
|
673 |
CS_0042("TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA", 0x0042), |
|
674 |
CS_0043("TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA", 0x0043), |
|
675 |
CS_0044("TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA", 0x0044), |
|
676 |
CS_0045("TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", 0x0045), |
|
677 |
CS_0046("TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA", 0x0046), |
|
678 |
CS_0084("TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", 0x0084), |
|
679 |
CS_0085("TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA", 0x0085), |
|
680 |
CS_0086("TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA", 0x0086), |
|
681 |
CS_0087("TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA", 0x0087), |
|
682 |
CS_0088("TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", 0x0088), |
|
683 |
CS_0089("TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", 0x0089), |
|
684 |
CS_00BA("TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", 0x00ba), |
|
685 |
CS_00BB("TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256", 0x00bb), |
|
686 |
CS_00BC("TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256", 0x00bc), |
|
687 |
CS_00BD("TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256", 0x00bd), |
|
688 |
CS_00BE("TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", 0x00be), |
|
689 |
CS_00BF("TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256", 0x00bf), |
|
690 |
CS_00C0("TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", 0x00c0), |
|
691 |
CS_00C1("TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256", 0x00c1), |
|
692 |
CS_00C2("TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256", 0x00c2), |
|
693 |
CS_00C3("TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256", 0x00c3), |
|
694 |
CS_00C4("TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", 0x00c4), |
|
695 |
CS_00C5("TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256", 0x00c5), |
|
696 |
||
697 |
// TLS Fallback Signaling Cipher Suite Value (SCSV) RFC 7507 |
|
698 |
CS_5600("TLS_FALLBACK_SCSV", 0x5600), |
|
699 |
||
700 |
// Unsupported cipher suites from RFC 5054 |
|
701 |
CS_C01A("TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA", 0xc01a), |
|
702 |
CS_C01B("TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA", 0xc01b), |
|
703 |
CS_C01C("TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA", 0xc01c), |
|
704 |
CS_C01D("TLS_SRP_SHA_WITH_AES_128_CBC_SHA", 0xc01d), |
|
705 |
CS_C01E("TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA", 0xc01e), |
|
706 |
CS_C01F("TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA", 0xc01f), |
|
707 |
CS_C020("TLS_SRP_SHA_WITH_AES_256_CBC_SHA", 0xc020), |
|
708 |
CS_C021("TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA", 0xc021), |
|
709 |
CS_C022("TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA", 0xc022), |
|
710 |
||
711 |
// Unsupported cipher suites from RFC 5489 |
|
712 |
CS_C033("TLS_ECDHE_PSK_WITH_RC4_128_SHA", 0xc033), |
|
713 |
CS_C034("TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA", 0xc034), |
|
714 |
CS_C035("TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", 0xc035), |
|
715 |
CS_C036("TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", 0xc036), |
|
716 |
CS_C037("TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256", 0xc037), |
|
717 |
CS_C038("TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384", 0xc038), |
|
718 |
CS_C039("TLS_ECDHE_PSK_WITH_NULL_SHA", 0xc039), |
|
719 |
CS_C03A("TLS_ECDHE_PSK_WITH_NULL_SHA256", 0xc03a), |
|
720 |
CS_C03B("TLS_ECDHE_PSK_WITH_NULL_SHA384", 0xc03b), |
|
2 | 721 |
|
50768 | 722 |
// Unsupported cipher suites from RFC 6209 |
723 |
CS_C03C("TLS_RSA_WITH_ARIA_128_CBC_SHA256", 0xc03c), |
|
724 |
CS_C03D("TLS_RSA_WITH_ARIA_256_CBC_SHA384", 0xc03d), |
|
725 |
CS_C03E("TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256", 0xc03e), |
|
726 |
CS_C03F("TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384", 0xc03f), |
|
727 |
CS_C040("TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256", 0xc040), |
|
728 |
CS_C041("TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384", 0xc041), |
|
729 |
CS_C042("TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256", 0xc042), |
|
730 |
CS_C043("TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384", 0xc043), |
|
731 |
CS_C044("TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256", 0xc044), |
|
732 |
CS_C045("TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384", 0xc045), |
|
733 |
CS_C046("TLS_DH_anon_WITH_ARIA_128_CBC_SHA256", 0xc046), |
|
734 |
CS_C047("TLS_DH_anon_WITH_ARIA_256_CBC_SHA384", 0xc047), |
|
735 |
CS_C048("TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256", 0xc048), |
|
736 |
CS_C049("TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384", 0xc049), |
|
737 |
CS_C04A("TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256", 0xc04a), |
|
738 |
CS_C04B("TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384", 0xc04b), |
|
739 |
CS_C04C("TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256", 0xc04c), |
|
740 |
CS_C04D("TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384", 0xc04d), |
|
741 |
CS_C04E("TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256", 0xc04e), |
|
742 |
CS_C04F("TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384", 0xc04f), |
|
743 |
CS_C050("TLS_RSA_WITH_ARIA_128_GCM_SHA256", 0xc050), |
|
744 |
CS_C051("TLS_RSA_WITH_ARIA_256_GCM_SHA384", 0xc051), |
|
745 |
CS_C052("TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256", 0xc052), |
|
746 |
CS_C053("TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384", 0xc053), |
|
747 |
CS_C054("TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256", 0xc054), |
|
748 |
CS_C055("TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384", 0xc055), |
|
749 |
CS_C056("TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256", 0xc056), |
|
750 |
CS_C057("TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384", 0xc057), |
|
751 |
CS_C058("TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256", 0xc058), |
|
752 |
CS_C059("TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384", 0xc059), |
|
753 |
CS_C05A("TLS_DH_anon_WITH_ARIA_128_GCM_SHA256", 0xc05a), |
|
754 |
CS_C05B("TLS_DH_anon_WITH_ARIA_256_GCM_SHA384", 0xc05b), |
|
755 |
CS_C05C("TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256", 0xc05c), |
|
756 |
CS_C05D("TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384", 0xc05d), |
|
757 |
CS_C05E("TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256", 0xc05e), |
|
758 |
CS_C05F("TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384", 0xc05f), |
|
759 |
CS_C060("TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256", 0xc060), |
|
760 |
CS_C061("TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384", 0xc061), |
|
761 |
CS_C062("TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256", 0xc062), |
|
762 |
CS_C063("TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384", 0xc063), |
|
763 |
CS_C064("TLS_PSK_WITH_ARIA_128_CBC_SHA256", 0xc064), |
|
764 |
CS_C065("TLS_PSK_WITH_ARIA_256_CBC_SHA384", 0xc065), |
|
765 |
CS_C066("TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256", 0xc066), |
|
766 |
CS_C067("TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384", 0xc067), |
|
767 |
CS_C068("TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256", 0xc068), |
|
768 |
CS_C069("TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384", 0xc069), |
|
769 |
CS_C06A("TLS_PSK_WITH_ARIA_128_GCM_SHA256", 0xc06a), |
|
770 |
CS_C06B("TLS_PSK_WITH_ARIA_256_GCM_SHA384", 0xc06b), |
|
771 |
CS_C06C("TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256", 0xc06c), |
|
772 |
CS_C06D("TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384", 0xc06d), |
|
773 |
CS_C06E("TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256", 0xc06e), |
|
774 |
CS_C06F("TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384", 0xc06f), |
|
775 |
CS_C070("TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256", 0xc070), |
|
776 |
CS_C071("TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384", 0xc071), |
|
2 | 777 |
|
50768 | 778 |
// Unsupported cipher suites from RFC 6367 |
779 |
CS_C072("TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", 0xc072), |
|
780 |
CS_C073("TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", 0xc073), |
|
781 |
CS_C074("TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", 0xc074), |
|
782 |
CS_C075("TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", 0xc075), |
|
783 |
CS_C076("TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", 0xc076), |
|
784 |
CS_C077("TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384", 0xc077), |
|
785 |
CS_C078("TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256", 0xc078), |
|
786 |
CS_C079("TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384", 0xc079), |
|
787 |
CS_C07A("TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256", 0xc07a), |
|
788 |
CS_C07B("TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384", 0xc07b), |
|
789 |
CS_C07C("TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", 0xc07c), |
|
790 |
CS_C07D("TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", 0xc07d), |
|
791 |
CS_C07E("TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256", 0xc07e), |
|
792 |
CS_C07F("TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384", 0xc07f), |
|
793 |
CS_C080("TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256", 0xc080), |
|
794 |
CS_C081("TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384", 0xc081), |
|
795 |
CS_C082("TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256", 0xc082), |
|
796 |
CS_C083("TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384", 0xc083), |
|
797 |
CS_C084("TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256", 0xc084), |
|
798 |
CS_C085("TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384", 0xc085), |
|
799 |
CS_C086("TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", 0xc086), |
|
800 |
CS_C087("TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", 0xc087), |
|
801 |
CS_C088("TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", 0xc088), |
|
802 |
CS_C089("TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", 0xc089), |
|
803 |
CS_C08A("TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", 0xc08a), |
|
804 |
CS_C08B("TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", 0xc08b), |
|
805 |
CS_C08C("TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256", 0xc08c), |
|
806 |
CS_C08D("TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384", 0xc08d), |
|
807 |
CS_C08E("TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256", 0xc08e), |
|
808 |
CS_C08F("TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384", 0xc08f), |
|
809 |
CS_C090("TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256", 0xc090), |
|
810 |
CS_C091("TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384", 0xc091), |
|
811 |
CS_C092("TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256", 0xc092), |
|
812 |
CS_C093("TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384", 0xc093), |
|
813 |
CS_C094("TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256", 0xc094), |
|
814 |
CS_C095("TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384", 0xc095), |
|
815 |
CS_C096("TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", 0xc096), |
|
816 |
CS_C097("TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", 0xc097), |
|
817 |
CS_C098("TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256", 0xc098), |
|
818 |
CS_C099("TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384", 0xc099), |
|
819 |
CS_C09A("TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", 0xc09a), |
|
820 |
CS_C09B("TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", 0xc09b), |
|
821 |
||
822 |
// Unsupported cipher suites from RFC 6655 |
|
823 |
CS_C09C("TLS_RSA_WITH_AES_128_CCM", 0xc09c), |
|
824 |
CS_C09D("TLS_RSA_WITH_AES_256_CCM", 0xc09d), |
|
825 |
CS_C09E("TLS_DHE_RSA_WITH_AES_128_CCM", 0xc09e), |
|
826 |
CS_C09F("TLS_DHE_RSA_WITH_AES_256_CCM", 0xc09f), |
|
827 |
CS_C0A0("TLS_RSA_WITH_AES_128_CCM_8", 0xc0A0), |
|
828 |
CS_C0A1("TLS_RSA_WITH_AES_256_CCM_8", 0xc0A1), |
|
829 |
CS_C0A2("TLS_DHE_RSA_WITH_AES_128_CCM_8", 0xc0A2), |
|
830 |
CS_C0A3("TLS_DHE_RSA_WITH_AES_256_CCM_8", 0xc0A3), |
|
831 |
CS_C0A4("TLS_PSK_WITH_AES_128_CCM", 0xc0A4), |
|
832 |
CS_C0A5("TLS_PSK_WITH_AES_256_CCM", 0xc0A5), |
|
833 |
CS_C0A6("TLS_DHE_PSK_WITH_AES_128_CCM", 0xc0A6), |
|
834 |
CS_C0A7("TLS_DHE_PSK_WITH_AES_256_CCM", 0xc0A7), |
|
835 |
CS_C0A8("TLS_PSK_WITH_AES_128_CCM_8", 0xc0A8), |
|
836 |
CS_C0A9("TLS_PSK_WITH_AES_256_CCM_8", 0xc0A9), |
|
837 |
CS_C0AA("TLS_PSK_DHE_WITH_AES_128_CCM_8", 0xc0Aa), |
|
838 |
CS_C0AB("TLS_PSK_DHE_WITH_AES_256_CCM_8", 0xc0Ab), |
|
839 |
||
840 |
// Unsupported cipher suites from RFC 7251 |
|
841 |
CS_C0AC("TLS_ECDHE_ECDSA_WITH_AES_128_CCM", 0xc0Ac), |
|
842 |
CS_C0AD("TLS_ECDHE_ECDSA_WITH_AES_256_CCM", 0xc0Ad), |
|
843 |
CS_C0AE("TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8", 0xc0Ae), |
|
844 |
CS_C0AF("TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8", 0xc0Af), |
|
845 |
||
846 |
C_NULL("SSL_NULL_WITH_NULL_NULL", 0x0000); |
|
847 |
||
2 | 848 |
final int id; |
50768 | 849 |
final boolean isDefaultEnabled; |
850 |
final String name; |
|
851 |
final List<String> aliases; |
|
852 |
final List<ProtocolVersion> supportedProtocols; |
|
853 |
final KeyExchange keyExchange; |
|
854 |
final SSLCipher bulkCipher; |
|
855 |
final MacAlg macAlg; |
|
856 |
final HashAlg hashAlg; |
|
2 | 857 |
|
858 |
final boolean exportable; |
|
859 |
||
50768 | 860 |
// known but unsupported cipher suite |
861 |
private CipherSuite(String name, int id) { |
|
862 |
this(id, false, name, "", |
|
863 |
ProtocolVersion.PROTOCOLS_EMPTY, null, null, null, null); |
|
864 |
} |
|
865 |
||
866 |
// TLS 1.3 cipher suite |
|
867 |
private CipherSuite(int id, boolean isDefaultEnabled, |
|
868 |
String name, ProtocolVersion[] supportedProtocols, |
|
869 |
SSLCipher bulkCipher, HashAlg hashAlg) { |
|
870 |
this(id, isDefaultEnabled, name, "", |
|
871 |
supportedProtocols, null, bulkCipher, M_NULL, hashAlg); |
|
872 |
} |
|
2 | 873 |
|
50768 | 874 |
private CipherSuite(int id, boolean isDefaultEnabled, |
875 |
String name, String aliases, |
|
876 |
ProtocolVersion[] supportedProtocols, |
|
877 |
KeyExchange keyExchange, SSLCipher cipher, |
|
878 |
MacAlg macAlg, HashAlg hashAlg) { |
|
879 |
this.id = id; |
|
880 |
this.isDefaultEnabled = isDefaultEnabled; |
|
881 |
this.name = name; |
|
51407
910f7b56592f
8207009: TLS 1.3 half-close and synchronization issues
xuelei
parents:
51115
diff
changeset
|
882 |
if (!aliases.isEmpty()) { |
50768 | 883 |
this.aliases = Arrays.asList(aliases.split(",")); |
884 |
} else { |
|
885 |
this.aliases = Collections.emptyList(); |
|
886 |
} |
|
887 |
this.supportedProtocols = Arrays.asList(supportedProtocols); |
|
888 |
this.keyExchange = keyExchange; |
|
889 |
this.bulkCipher = cipher; |
|
890 |
this.macAlg = macAlg; |
|
891 |
this.hashAlg = hashAlg; |
|
7039 | 892 |
|
50768 | 893 |
this.exportable = (cipher == null ? false : cipher.exportable); |
894 |
} |
|
895 |
||
896 |
static CipherSuite nameOf(String ciperSuiteName) { |
|
897 |
for (CipherSuite cs : CipherSuite.values()) { |
|
898 |
if (cs.name.equals(ciperSuiteName) || |
|
899 |
cs.aliases.contains(ciperSuiteName)) { |
|
900 |
return cs; |
|
901 |
} |
|
902 |
} |
|
903 |
||
904 |
return null; |
|
905 |
} |
|
7043 | 906 |
|
50768 | 907 |
static CipherSuite valueOf(int id) { |
908 |
for (CipherSuite cs : CipherSuite.values()) { |
|
909 |
if (cs.id == id) { |
|
910 |
return cs; |
|
911 |
} |
|
912 |
} |
|
913 |
||
914 |
return null; |
|
915 |
} |
|
916 |
||
917 |
static String nameOf(int id) { |
|
918 |
for (CipherSuite cs : CipherSuite.values()) { |
|
919 |
if (cs.id == id) { |
|
920 |
return cs.name; |
|
921 |
} |
|
922 |
} |
|
923 |
||
924 |
return "UNKNOWN-CIPHER-SUITE(" + Utilities.byte16HexString(id) + ")"; |
|
925 |
} |
|
926 |
||
927 |
static Collection<CipherSuite> allowedCipherSuites() { |
|
928 |
Collection<CipherSuite> cipherSuites = new LinkedList<>(); |
|
929 |
for (CipherSuite cs : CipherSuite.values()) { |
|
930 |
if (!cs.supportedProtocols.isEmpty()) { |
|
931 |
cipherSuites.add(cs); |
|
932 |
} else { |
|
933 |
// values() is ordered, remaining cipher suites are |
|
934 |
// not supported. |
|
935 |
break; |
|
936 |
} |
|
937 |
} |
|
938 |
return cipherSuites; |
|
939 |
} |
|
940 |
||
941 |
static Collection<CipherSuite> defaultCipherSuites() { |
|
942 |
Collection<CipherSuite> cipherSuites = new LinkedList<>(); |
|
943 |
for (CipherSuite cs : CipherSuite.values()) { |
|
944 |
if (cs.isDefaultEnabled) { |
|
945 |
cipherSuites.add(cs); |
|
946 |
} else { |
|
947 |
// values() is ordered, remaining cipher suites are |
|
948 |
// not enabled. |
|
949 |
break; |
|
950 |
} |
|
951 |
} |
|
952 |
return cipherSuites; |
|
2 | 953 |
} |
954 |
||
7043 | 955 |
/** |
50768 | 956 |
* Validates and converts an array of cipher suite names. |
957 |
* |
|
958 |
* @throws IllegalArgumentException when one or more of the ciphers named |
|
959 |
* by the parameter is not supported, or when the parameter is null. |
|
7043 | 960 |
*/ |
50768 | 961 |
static List<CipherSuite> validValuesOf(String[] names) { |
962 |
if (names == null) { |
|
963 |
throw new IllegalArgumentException("CipherSuites cannot be null"); |
|
964 |
} |
|
965 |
||
966 |
List<CipherSuite> cipherSuites = new ArrayList<>(names.length); |
|
967 |
for (String name : names) { |
|
51115
6659a00bc2ea
8207237: SSLSocket#setEnabledCipherSuites is accepting empty string
jnimeh
parents:
50768
diff
changeset
|
968 |
if (name == null || name.isEmpty()) { |
50768 | 969 |
throw new IllegalArgumentException( |
51115
6659a00bc2ea
8207237: SSLSocket#setEnabledCipherSuites is accepting empty string
jnimeh
parents:
50768
diff
changeset
|
970 |
"The specified CipherSuites array contains " + |
6659a00bc2ea
8207237: SSLSocket#setEnabledCipherSuites is accepting empty string
jnimeh
parents:
50768
diff
changeset
|
971 |
"invalid null or empty string elements"); |
50768 | 972 |
} |
2 | 973 |
|
50768 | 974 |
boolean found = false; |
975 |
for (CipherSuite cs : CipherSuite.values()) { |
|
976 |
if (!cs.supportedProtocols.isEmpty()) { |
|
977 |
if (cs.name.equals(name) || |
|
978 |
cs.aliases.contains(name)) { |
|
979 |
cipherSuites.add(cs); |
|
980 |
found = true; |
|
981 |
break; |
|
982 |
} |
|
983 |
} else { |
|
984 |
// values() is ordered, remaining cipher suites are |
|
985 |
// not supported. |
|
986 |
break; |
|
987 |
} |
|
988 |
} |
|
989 |
if (!found) { |
|
990 |
throw new IllegalArgumentException( |
|
991 |
"Unsupported CipherSuite: " + name); |
|
992 |
} |
|
993 |
} |
|
994 |
||
995 |
return Collections.unmodifiableList(cipherSuites); |
|
2 | 996 |
} |
997 |
||
50768 | 998 |
static String[] namesOf(List<CipherSuite> cipherSuites) { |
999 |
String[] names = new String[cipherSuites.size()]; |
|
1000 |
int i = 0; |
|
1001 |
for (CipherSuite cipherSuite : cipherSuites) { |
|
1002 |
names[i++] = cipherSuite.name; |
|
1003 |
} |
|
1004 |
||
1005 |
return names; |
|
1006 |
} |
|
1007 |
||
2 | 1008 |
boolean isAvailable() { |
50768 | 1009 |
// Note: keyExchange is null for TLS 1.3 CipherSuites. |
1010 |
return !supportedProtocols.isEmpty() && |
|
1011 |
(keyExchange == null || keyExchange.isAvailable()) && |
|
1012 |
bulkCipher != null && bulkCipher.isAvailable(); |
|
1013 |
} |
|
1014 |
||
1015 |
public boolean supports(ProtocolVersion protocolVersion) { |
|
1016 |
return supportedProtocols.contains(protocolVersion); |
|
2 | 1017 |
} |
1018 |
||
6856 | 1019 |
boolean isNegotiable() { |
50768 | 1020 |
return this != TLS_EMPTY_RENEGOTIATION_INFO_SCSV && isAvailable(); |
6856 | 1021 |
} |
1022 |
||
50768 | 1023 |
boolean isAnonymous() { |
1024 |
return (keyExchange != null && keyExchange.isAnonymous); |
|
1025 |
} |
|
1026 |
||
1027 |
// See also SSLWriteCipher.calculatePacketSize(). |
|
30904 | 1028 |
int calculatePacketSize(int fragmentSize, |
1029 |
ProtocolVersion protocolVersion, boolean isDTLS) { |
|
1030 |
int packetSize = fragmentSize; |
|
50768 | 1031 |
if (bulkCipher != null && bulkCipher != B_NULL) { |
1032 |
int blockSize = bulkCipher.ivSize; |
|
1033 |
switch (bulkCipher.cipherType) { |
|
30904 | 1034 |
case BLOCK_CIPHER: |
1035 |
packetSize += macAlg.size; |
|
1036 |
packetSize += 1; // 1 byte padding length field |
|
1037 |
packetSize += // use the minimal padding |
|
1038 |
(blockSize - (packetSize % blockSize)) % blockSize; |
|
1039 |
if (protocolVersion.useTLS11PlusSpec()) { |
|
1040 |
packetSize += blockSize; // explicit IV |
|
1041 |
} |
|
1042 |
||
1043 |
break; |
|
50768 | 1044 |
case AEAD_CIPHER: |
1045 |
if (protocolVersion == ProtocolVersion.TLS12 || |
|
1046 |
protocolVersion == ProtocolVersion.DTLS12) { |
|
1047 |
packetSize += |
|
1048 |
bulkCipher.ivSize - bulkCipher.fixedIvSize; |
|
1049 |
} |
|
1050 |
packetSize += bulkCipher.tagSize; |
|
30904 | 1051 |
|
50768 | 1052 |
break; |
1053 |
default: // NULL_CIPHER or STREAM_CIPHER |
|
1054 |
packetSize += macAlg.size; |
|
30904 | 1055 |
} |
1056 |
} |
|
1057 |
||
1058 |
return packetSize + |
|
1059 |
(isDTLS ? DTLSRecord.headerSize : SSLRecord.headerSize); |
|
1060 |
} |
|
1061 |
||
1062 |
// See also CipherBox.calculateFragmentSize(). |
|
1063 |
int calculateFragSize(int packetLimit, |
|
1064 |
ProtocolVersion protocolVersion, boolean isDTLS) { |
|
1065 |
int fragSize = packetLimit - |
|
1066 |
(isDTLS ? DTLSRecord.headerSize : SSLRecord.headerSize); |
|
50768 | 1067 |
if (bulkCipher != null && bulkCipher != B_NULL) { |
1068 |
int blockSize = bulkCipher.ivSize; |
|
1069 |
switch (bulkCipher.cipherType) { |
|
1070 |
case BLOCK_CIPHER: |
|
1071 |
if (protocolVersion.useTLS11PlusSpec()) { |
|
1072 |
fragSize -= blockSize; // explicit IV |
|
1073 |
} |
|
1074 |
fragSize -= (fragSize % blockSize); // cannot hold a block |
|
1075 |
// No padding for a maximum fragment. |
|
1076 |
fragSize -= 1; // 1 byte padding length field: 0x00 |
|
1077 |
fragSize -= macAlg.size; |
|
30904 | 1078 |
|
50768 | 1079 |
break; |
1080 |
case AEAD_CIPHER: |
|
1081 |
fragSize -= bulkCipher.tagSize; |
|
1082 |
fragSize -= bulkCipher.ivSize - bulkCipher.fixedIvSize; |
|
30904 | 1083 |
|
50768 | 1084 |
break; |
1085 |
default: // NULL_CIPHER or STREAM_CIPHER |
|
1086 |
fragSize -= macAlg.size; |
|
30904 | 1087 |
} |
1088 |
} |
|
1089 |
||
1090 |
return fragSize; |
|
1091 |
} |
|
1092 |
||
2 | 1093 |
/** |
1094 |
* An SSL/TLS key exchange algorithm. |
|
1095 |
*/ |
|
1096 |
static enum KeyExchange { |
|
50768 | 1097 |
K_NULL ("NULL", false, true, NAMED_GROUP_NONE), |
1098 |
K_RSA ("RSA", true, false, NAMED_GROUP_NONE), |
|
1099 |
K_RSA_EXPORT ("RSA_EXPORT", true, false, NAMED_GROUP_NONE), |
|
1100 |
K_DH_RSA ("DH_RSA", false, false, NAMED_GROUP_NONE), |
|
1101 |
K_DH_DSS ("DH_DSS", false, false, NAMED_GROUP_NONE), |
|
1102 |
K_DHE_DSS ("DHE_DSS", true, false, NAMED_GROUP_FFDHE), |
|
1103 |
K_DHE_DSS_EXPORT("DHE_DSS_EXPORT", true, false, NAMED_GROUP_NONE), |
|
1104 |
K_DHE_RSA ("DHE_RSA", true, false, NAMED_GROUP_FFDHE), |
|
1105 |
K_DHE_RSA_EXPORT("DHE_RSA_EXPORT", true, false, NAMED_GROUP_NONE), |
|
1106 |
K_DH_ANON ("DH_anon", true, true, NAMED_GROUP_FFDHE), |
|
1107 |
K_DH_ANON_EXPORT("DH_anon_EXPORT", true, true, NAMED_GROUP_NONE), |
|
2 | 1108 |
|
55353 | 1109 |
// These KeyExchanges can use either ECDHE/XDH, so we'll use a |
1110 |
// varargs here. |
|
1111 |
K_ECDH_ECDSA ("ECDH_ECDSA", JsseJce.ALLOW_ECC, false, |
|
1112 |
NAMED_GROUP_ECDHE, NAMED_GROUP_XDH), |
|
1113 |
K_ECDH_RSA ("ECDH_RSA", JsseJce.ALLOW_ECC, false, |
|
1114 |
NAMED_GROUP_ECDHE, NAMED_GROUP_XDH), |
|
1115 |
K_ECDHE_ECDSA ("ECDHE_ECDSA", JsseJce.ALLOW_ECC, false, |
|
1116 |
NAMED_GROUP_ECDHE, NAMED_GROUP_XDH), |
|
1117 |
K_ECDHE_RSA ("ECDHE_RSA", JsseJce.ALLOW_ECC, false, |
|
1118 |
NAMED_GROUP_ECDHE, NAMED_GROUP_XDH), |
|
1119 |
K_ECDH_ANON ("ECDH_anon", JsseJce.ALLOW_ECC, true, |
|
1120 |
NAMED_GROUP_ECDHE, NAMED_GROUP_XDH), |
|
6856 | 1121 |
|
1122 |
// renegotiation protection request signaling cipher suite |
|
50768 | 1123 |
K_SCSV ("SCSV", true, true, NAMED_GROUP_NONE); |
2 | 1124 |
|
1125 |
// name of the key exchange algorithm, e.g. DHE_DSS |
|
1126 |
final String name; |
|
1127 |
final boolean allowed; |
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
1128 |
final NamedGroupSpec[] groupTypes; |
2 | 1129 |
private final boolean alwaysAvailable; |
50768 | 1130 |
private final boolean isAnonymous; |
2 | 1131 |
|
50768 | 1132 |
KeyExchange(String name, boolean allowed, |
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
1133 |
boolean isAnonymous, NamedGroupSpec... groupTypes) { |
2 | 1134 |
this.name = name; |
55353 | 1135 |
this.groupTypes = groupTypes; |
1136 |
this.allowed = allowed; |
|
1137 |
||
50768 | 1138 |
this.alwaysAvailable = allowed && (!name.startsWith("EC")); |
1139 |
this.isAnonymous = isAnonymous; |
|
2 | 1140 |
} |
1141 |
||
1142 |
boolean isAvailable() { |
|
1143 |
if (alwaysAvailable) { |
|
1144 |
return true; |
|
1145 |
} |
|
3957
c8fdb8fad795
6885204: JSSE should not require Kerberos to be present
vinnie
parents:
715
diff
changeset
|
1146 |
|
57718
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
1147 |
if (NamedGroupSpec.arrayContains(groupTypes, |
a93b7b28f644
8226374: Restrict TLS signature schemes and named groups
xuelei
parents:
55353
diff
changeset
|
1148 |
NamedGroupSpec.NAMED_GROUP_ECDHE)) { |
3957
c8fdb8fad795
6885204: JSSE should not require Kerberos to be present
vinnie
parents:
715
diff
changeset
|
1149 |
return (allowed && JsseJce.isEcAvailable()); |
c8fdb8fad795
6885204: JSSE should not require Kerberos to be present
vinnie
parents:
715
diff
changeset
|
1150 |
} else { |
c8fdb8fad795
6885204: JSSE should not require Kerberos to be present
vinnie
parents:
715
diff
changeset
|
1151 |
return allowed; |
c8fdb8fad795
6885204: JSSE should not require Kerberos to be present
vinnie
parents:
715
diff
changeset
|
1152 |
} |
2 | 1153 |
} |
1154 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
11904
diff
changeset
|
1155 |
@Override |
2 | 1156 |
public String toString() { |
1157 |
return name; |
|
1158 |
} |
|
1159 |
} |
|
1160 |
||
1161 |
/** |
|
1162 |
* An SSL/TLS key MAC algorithm. |
|
1163 |
* |
|
7043 | 1164 |
* Also contains a factory method to obtain an initialized MAC |
2 | 1165 |
* for this algorithm. |
1166 |
*/ |
|
29488 | 1167 |
static enum MacAlg { |
1168 |
M_NULL ("NULL", 0, 0, 0), |
|
1169 |
M_MD5 ("MD5", 16, 64, 9), |
|
1170 |
M_SHA ("SHA", 20, 64, 9), |
|
1171 |
M_SHA256 ("SHA256", 32, 64, 9), |
|
1172 |
M_SHA384 ("SHA384", 48, 128, 17); |
|
2 | 1173 |
|
1174 |
// descriptive name, e.g. MD5 |
|
1175 |
final String name; |
|
1176 |
||
1177 |
// size of the MAC value (and MAC key) in bytes |
|
1178 |
final int size; |
|
1179 |
||
16113 | 1180 |
// block size of the underlying hash algorithm |
1181 |
final int hashBlockSize; |
|
1182 |
||
1183 |
// minimal padding size of the underlying hash algorithm |
|
1184 |
final int minimalPaddingSize; |
|
1185 |
||
1186 |
MacAlg(String name, int size, |
|
1187 |
int hashBlockSize, int minimalPaddingSize) { |
|
2 | 1188 |
this.name = name; |
1189 |
this.size = size; |
|
16113 | 1190 |
this.hashBlockSize = hashBlockSize; |
1191 |
this.minimalPaddingSize = minimalPaddingSize; |
|
2 | 1192 |
} |
1193 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
11904
diff
changeset
|
1194 |
@Override |
2 | 1195 |
public String toString() { |
1196 |
return name; |
|
1197 |
} |
|
1198 |
} |
|
1199 |
||
7807 | 1200 |
/** |
50768 | 1201 |
* The hash algorithms used for PRF (PseudoRandom Function) or HKDF. |
7807 | 1202 |
* |
50768 | 1203 |
* Note that TLS 1.1- uses a single MD5/SHA1-based PRF algorithm for |
1204 |
* generating the necessary material. |
|
7807 | 1205 |
*/ |
50768 | 1206 |
static enum HashAlg { |
1207 |
H_NONE ("NONE", 0, 0), |
|
1208 |
H_SHA256 ("SHA-256", 32, 64), |
|
1209 |
H_SHA384 ("SHA-384", 48, 128); |
|
7043 | 1210 |
|
50768 | 1211 |
final String name; |
1212 |
final int hashLength; |
|
1213 |
final int blockSize; |
|
7043 | 1214 |
|
50768 | 1215 |
HashAlg(String hashAlg, int hashLength, int blockSize) { |
1216 |
this.name = hashAlg; |
|
1217 |
this.hashLength = hashLength; |
|
1218 |
this.blockSize = blockSize; |
|
7043 | 1219 |
} |
1220 |
||
50768 | 1221 |
@Override |
1222 |
public String toString() { |
|
1223 |
return name; |
|
7043 | 1224 |
} |
1225 |
} |
|
2 | 1226 |
} |