Remove DHE ciphers from defaults list

Since DHE does not allow negotiation of the group used, it is pretty broken. ECDHE at least allows the negotiation of the group which allows its security to be maintained with configuration changes in the client or server. This tracks a change in Conscrypt merged in 906cfad7e08fd339be06441ff42960743f95053c Test: cts-tradefed run cts -m CtsLibcoreOkHttpTestCases -a arm64-v8a Test: cts-tradefed run cts -m CtsLibcoreTestCases -a arm64-v8a Test: make docs Test: visual inspection of docs output in web browser Change-Id: Ic90297bf6b1c82af192a887797238ad250e3d1ce
author: Kenny Root <kroot@google.com> 2017-03-07 14:19:30 -0800
committer: Kenny Root <kroot@google.com> 2017-03-08 15:17:25 -0800
commit: 87b15f87f9e01e8e8d8350aa3fc74a08599ad6e8 (patch)
tree: 67b597083160da8c113058c268eb72f2a9e41c31 /support
parent: 23dd5ee0bd9bfe0b4c09b3312808130efb6dcae6 (diff)
1 files changed, 8 insertions, 16 deletions
diff --git a/support/src/test/java/libcore/java/security/StandardNames.java b/support/src/test/java/libcore/java/security/StandardNames.java
index 8bc9937f21..db5d0b1fa0 100644
--- a/support/src/test/java/libcore/java/security/StandardNames.java
+++ b/support/src/test/java/libcore/java/security/StandardNames.java
@@ -783,11 +783,9 @@ public final class StandardNames {
         addBoth(   "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA");
         addBoth(   "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA");
         addBoth(   "TLS_RSA_WITH_AES_256_CBC_SHA");
-        addBoth(   "TLS_DHE_RSA_WITH_AES_256_CBC_SHA");
         addBoth(   "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA");
         addBoth(   "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA");
         addBoth(   "TLS_RSA_WITH_AES_128_CBC_SHA");
-        addBoth(   "TLS_DHE_RSA_WITH_AES_128_CBC_SHA");
         addBoth(   "SSL_RSA_WITH_3DES_EDE_CBC_SHA");
 
         // TLSv1.2 cipher suites
@@ -795,10 +793,6 @@ public final class StandardNames {
         addBoth(   "TLS_RSA_WITH_AES_256_CBC_SHA256");
         addOpenSsl("TLS_RSA_WITH_AES_128_GCM_SHA256");
         addOpenSsl("TLS_RSA_WITH_AES_256_GCM_SHA384");
-        addBoth(   "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256");
-        addBoth(   "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256");
-        addOpenSsl("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256");
-        addOpenSsl("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384");
         addBoth(   "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256");
         addBoth(   "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384");
         addOpenSsl("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
@@ -856,11 +850,11 @@ public final class StandardNames {
         addRi(     "SSL_RSA_WITH_RC4_128_MD5");
 
         // Dropped
-        addNeither("SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA");
-        addNeither("SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA");
         addRi(     "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA");
         addRi(     "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA");
         addRi(     "SSL_DHE_RSA_WITH_DES_CBC_SHA");
+        addNeither("SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA");
+        addNeither("SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA");
         addRi(     "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA");
         addRi(     "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5");
         addRi(     "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA");
@@ -871,6 +865,12 @@ public final class StandardNames {
         addRi(     "SSL_RSA_WITH_DES_CBC_SHA");
         addRi(     "SSL_RSA_WITH_NULL_MD5");
         addRi(     "SSL_RSA_WITH_NULL_SHA");
+        addRi(     "TLS_DHE_RSA_WITH_AES_128_CBC_SHA");
+        addRi(     "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256");
+        addNeither("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256");
+        addNeither("TLS_DHE_RSA_WITH_AES_128_GCM_SHA384");
+        addRi(     "TLS_DHE_RSA_WITH_AES_256_CBC_SHA");
+        addRi(     "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256");
         addRi(     "TLS_DH_anon_WITH_AES_128_CBC_SHA");
         addRi(     "TLS_DH_anon_WITH_AES_128_CBC_SHA256");
         addNeither("TLS_DH_anon_WITH_AES_128_GCM_SHA256");
@@ -945,14 +945,10 @@ public final class StandardNames {
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
-            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
-            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
             "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
-            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
-            "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
             "TLS_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_RSA_WITH_AES_128_CBC_SHA",
@@ -969,14 +965,10 @@ public final class StandardNames {
             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
-            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
             "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
-            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
-            "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
             "TLS_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_RSA_WITH_AES_128_CBC_SHA",
author	Kenny Root <kroot@google.com>	2017-03-07 14:19:30 -0800
committer	Kenny Root <kroot@google.com>	2017-03-08 15:17:25 -0800
commit	87b15f87f9e01e8e8d8350aa3fc74a08599ad6e8 (patch)
tree	67b597083160da8c113058c268eb72f2a9e41c31 /support
parent	23dd5ee0bd9bfe0b4c09b3312808130efb6dcae6 (diff)