288 |
288 |
289 // Definition of the CipherSuites that are supported but not enabled |
289 // Definition of the CipherSuites that are supported but not enabled |
290 // by default. |
290 // by default. |
291 // They are listed in preference order, preferred first, using the |
291 // They are listed in preference order, preferred first, using the |
292 // following criteria: |
292 // following criteria: |
293 // 1. CipherSuites for KRB5 need additional KRB5 service |
293 // 1. If a cipher suite has been obsoleted, we put it at the end of |
294 // configuration, and these suites are not common in practice, |
|
295 // so we put KRB5 based cipher suites at the end of the supported |
|
296 // list. |
|
297 // 2. If a cipher suite has been obsoleted, we put it at the end of |
|
298 // the list. |
294 // the list. |
299 // 3. Prefer the stronger bulk cipher, in the order of AES_256, |
295 // 2. Prefer the stronger bulk cipher, in the order of AES_256, |
300 // AES_128, 3DES-EDE, RC-4, DES, DES40, RC4_40, NULL. |
296 // AES_128, 3DES-EDE, RC-4, DES, DES40, RC4_40, NULL. |
301 // 4. Prefer the stronger MAC algorithm, in the order of SHA384, |
297 // 3. Prefer the stronger MAC algorithm, in the order of SHA384, |
302 // SHA256, SHA, MD5. |
298 // SHA256, SHA, MD5. |
303 // 5. Prefer the better performance of key exchange and digital |
299 // 4. Prefer the better performance of key exchange and digital |
304 // signature algorithm, in the order of ECDHE-ECDSA, ECDHE-RSA, |
300 // signature algorithm, in the order of ECDHE-ECDSA, ECDHE-RSA, |
305 // RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS, anonymous. |
301 // RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS, anonymous. |
306 TLS_DH_anon_WITH_AES_256_GCM_SHA384( |
302 TLS_DH_anon_WITH_AES_256_GCM_SHA384( |
307 0x00A7, false, "TLS_DH_anon_WITH_AES_256_GCM_SHA384", "", |
303 0x00A7, false, "TLS_DH_anon_WITH_AES_256_GCM_SHA384", "", |
308 ProtocolVersion.PROTOCOLS_OF_12, |
304 ProtocolVersion.PROTOCOLS_OF_12, |
454 SSL_RSA_WITH_NULL_MD5( |
450 SSL_RSA_WITH_NULL_MD5( |
455 0x0001, false, "SSL_RSA_WITH_NULL_MD5", "", |
451 0x0001, false, "SSL_RSA_WITH_NULL_MD5", "", |
456 ProtocolVersion.PROTOCOLS_TO_12, |
452 ProtocolVersion.PROTOCOLS_TO_12, |
457 K_RSA, B_NULL, M_MD5, H_SHA256), |
453 K_RSA, B_NULL, M_MD5, H_SHA256), |
458 |
454 |
459 // supported Kerberos ciphersuites from RFC2712 |
|
460 TLS_KRB5_WITH_3DES_EDE_CBC_SHA( |
|
461 0x001F, false, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA", "", |
|
462 ProtocolVersion.PROTOCOLS_TO_T12, |
|
463 K_KRB5, B_3DES, M_SHA, H_SHA256), |
|
464 TLS_KRB5_WITH_3DES_EDE_CBC_MD5( |
|
465 0x0023, false, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5", "", |
|
466 ProtocolVersion.PROTOCOLS_TO_T12, |
|
467 K_KRB5, B_3DES, M_MD5, H_SHA256), |
|
468 TLS_KRB5_WITH_RC4_128_SHA( |
|
469 0x0020, false, "TLS_KRB5_WITH_RC4_128_SHA", "", |
|
470 ProtocolVersion.PROTOCOLS_TO_T12, |
|
471 K_KRB5, B_RC4_128, M_SHA, H_SHA256), |
|
472 TLS_KRB5_WITH_RC4_128_MD5( |
|
473 0x0024, false, "TLS_KRB5_WITH_RC4_128_MD5", "", |
|
474 ProtocolVersion.PROTOCOLS_TO_T12, |
|
475 K_KRB5, B_RC4_128, M_MD5, H_SHA256), |
|
476 TLS_KRB5_WITH_DES_CBC_SHA( |
|
477 0x001e, false, "TLS_KRB5_WITH_DES_CBC_SHA", "", |
|
478 ProtocolVersion.PROTOCOLS_TO_T11, |
|
479 K_KRB5, B_DES, M_SHA, H_NONE), |
|
480 TLS_KRB5_WITH_DES_CBC_MD5( |
|
481 0x0022, false, "TLS_KRB5_WITH_DES_CBC_MD5", "", |
|
482 ProtocolVersion.PROTOCOLS_TO_T11, |
|
483 K_KRB5, B_DES, M_MD5, H_NONE), |
|
484 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA( |
|
485 0x0026, false, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", "", |
|
486 ProtocolVersion.PROTOCOLS_TO_T10, |
|
487 K_KRB5_EXPORT, B_DES_40, M_SHA, H_NONE), |
|
488 TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5( |
|
489 0x0029, false, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", "", |
|
490 ProtocolVersion.PROTOCOLS_TO_T10, |
|
491 K_KRB5_EXPORT, B_DES_40, M_MD5, H_NONE), |
|
492 TLS_KRB5_EXPORT_WITH_RC4_40_SHA( |
|
493 0x0028, false, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA", "", |
|
494 ProtocolVersion.PROTOCOLS_TO_T10, |
|
495 K_KRB5_EXPORT, B_RC4_40, M_SHA, H_NONE), |
|
496 TLS_KRB5_EXPORT_WITH_RC4_40_MD5( |
|
497 0x002B, false, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5", "", |
|
498 ProtocolVersion.PROTOCOLS_TO_T10, |
|
499 K_KRB5_EXPORT, B_RC4_40, M_MD5, H_NONE), |
|
500 |
|
501 // Other values from the TLS Cipher Suite Registry, as of August 2010. |
455 // Other values from the TLS Cipher Suite Registry, as of August 2010. |
502 // |
456 // |
503 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml |
457 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml |
504 // |
458 // |
505 // Range Registration Procedures Notes |
459 // Range Registration Procedures Notes |
541 CS_FFE1("NETSCAPE_RSA_FIPS_WITH_DES_CBC_SHA", 0xffe1), |
495 CS_FFE1("NETSCAPE_RSA_FIPS_WITH_DES_CBC_SHA", 0xffe1), |
542 CS_FEFE("SSL_RSA_FIPS_WITH_DES_CBC_SHA", 0xfefe), |
496 CS_FEFE("SSL_RSA_FIPS_WITH_DES_CBC_SHA", 0xfefe), |
543 CS_FEFF("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA", 0xfeff), |
497 CS_FEFF("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA", 0xfeff), |
544 |
498 |
545 // Unsupported Kerberos cipher suites from RFC 2712 |
499 // Unsupported Kerberos cipher suites from RFC 2712 |
|
500 CS_001E("TLS_KRB5_WITH_DES_CBC_SHA", 0x001E), |
|
501 CS_001F("TLS_KRB5_WITH_3DES_EDE_CBC_SHA", 0x001F), |
|
502 CS_0020("TLS_KRB5_WITH_RC4_128_SHA", 0x0020), |
546 CS_0021("TLS_KRB5_WITH_IDEA_CBC_SHA", 0x0021), |
503 CS_0021("TLS_KRB5_WITH_IDEA_CBC_SHA", 0x0021), |
|
504 CS_0022("TLS_KRB5_WITH_DES_CBC_MD5", 0x0022), |
|
505 CS_0023("TLS_KRB5_WITH_3DES_EDE_CBC_MD5", 0x0023), |
|
506 CS_0024("TLS_KRB5_WITH_RC4_128_MD5", 0x0024), |
547 CS_0025("TLS_KRB5_WITH_IDEA_CBC_MD5", 0x0025), |
507 CS_0025("TLS_KRB5_WITH_IDEA_CBC_MD5", 0x0025), |
|
508 CS_0026("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", 0x0026), |
548 CS_0027("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", 0x0027), |
509 CS_0027("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", 0x0027), |
|
510 CS_0028("TLS_KRB5_EXPORT_WITH_RC4_40_SHA", 0x0028), |
|
511 CS_0029("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", 0x0029), |
549 CS_002A("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5", 0x002a), |
512 CS_002A("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5", 0x002a), |
|
513 CS_002B("TLS_KRB5_EXPORT_WITH_RC4_40_MD5", 0x002B), |
550 |
514 |
551 // Unsupported cipher suites from RFC 4162 |
515 // Unsupported cipher suites from RFC 4162 |
552 CS_0096("TLS_RSA_WITH_SEED_CBC_SHA", 0x0096), |
516 CS_0096("TLS_RSA_WITH_SEED_CBC_SHA", 0x0096), |
553 CS_0097("TLS_DH_DSS_WITH_SEED_CBC_SHA", 0x0097), |
517 CS_0097("TLS_DH_DSS_WITH_SEED_CBC_SHA", 0x0097), |
554 CS_0098("TLS_DH_RSA_WITH_SEED_CBC_SHA", 0x0098), |
518 CS_0098("TLS_DH_RSA_WITH_SEED_CBC_SHA", 0x0098), |
1044 K_ECDH_RSA ("ECDH_RSA", true, false, NAMED_GROUP_ECDHE), |
1008 K_ECDH_RSA ("ECDH_RSA", true, false, NAMED_GROUP_ECDHE), |
1045 K_ECDHE_ECDSA("ECDHE_ECDSA", true, false, NAMED_GROUP_ECDHE), |
1009 K_ECDHE_ECDSA("ECDHE_ECDSA", true, false, NAMED_GROUP_ECDHE), |
1046 K_ECDHE_RSA ("ECDHE_RSA", true, false, NAMED_GROUP_ECDHE), |
1010 K_ECDHE_RSA ("ECDHE_RSA", true, false, NAMED_GROUP_ECDHE), |
1047 K_ECDH_ANON ("ECDH_anon", true, true, NAMED_GROUP_ECDHE), |
1011 K_ECDH_ANON ("ECDH_anon", true, true, NAMED_GROUP_ECDHE), |
1048 |
1012 |
1049 // Kerberos cipher suites |
|
1050 K_KRB5 ("KRB5", true, false, NAMED_GROUP_NONE), |
|
1051 K_KRB5_EXPORT("KRB5_EXPORT", true, false, NAMED_GROUP_NONE), |
|
1052 |
|
1053 // renegotiation protection request signaling cipher suite |
1013 // renegotiation protection request signaling cipher suite |
1054 K_SCSV ("SCSV", true, true, NAMED_GROUP_NONE); |
1014 K_SCSV ("SCSV", true, true, NAMED_GROUP_NONE); |
1055 |
1015 |
1056 // name of the key exchange algorithm, e.g. DHE_DSS |
1016 // name of the key exchange algorithm, e.g. DHE_DSS |
1057 final String name; |
1017 final String name; |