Disable TLS_DHE_DSS_WITH_AES_128_CBC_SHA

2015-10-17 20:13:03 +00:00
parent abc0f4c720
commit f713a19785
2 changed files with 11 additions and 1 deletions
--- a/core/java/src/net/i2p/util/I2PSSLSocketFactory.java
+++ b/core/java/src/net/i2p/util/I2PSSLSocketFactory.java
@@ -204,7 +204,15 @@ public class I2PSSLSocketFactory {
        "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
        "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
        "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"
+        "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+        // following is disabled because it is weak
+        // see e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1107787
+        "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
+        // ??? "TLS_DHE_DSS_WITH_AES_256_CBC_SHA"
+        //
+        //  NOTE:
+        //  If you add anything here, please also add to installer/resources/eepsite/jetty-ssl.xml
+        //
    }));

    /**
--- a/installer/resources/eepsite/jetty-ssl.xml
+++ b/installer/resources/eepsite/jetty-ssl.xml
@@ -248,6 +248,8 @@
            <Item>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</Item>
            <Item>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</Item>
            <Item>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
+            <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
+            <!-- Please keep this list in sync with the one in I2PSSLSocketFactory -->
          </Array>
        </Set>
      </New>