Commit a04fa4fa authored by Manuel Pégourié-Gonnard's avatar Manuel Pégourié-Gonnard
Browse files

RSA-PSK key exchange requires TLS 1.x

It's not clear if, with SSL3, one should include send the two length bytes for
EncryptedPreMasterSecret or not, so require TLS to avoid interop issues.
parent e46aa5e3
......@@ -8,6 +8,8 @@ Bugfix
Changes
* Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
standard defining how to use SHA-2 with SSL 3.0).
* Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
ambiguous on how to encode some packets with SSL 3.0).
= PolarSSL 1.3.8 released 2014-07-11
Security
......
......@@ -1444,13 +1444,13 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA1_C)
{ TLS_RSA_PSK_WITH_AES_128_CBC_SHA, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA",
POLARSSL_CIPHER_AES_128_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
{ TLS_RSA_PSK_WITH_AES_256_CBC_SHA, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA",
POLARSSL_CIPHER_AES_256_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
#endif /* POLARSSL_SHA1_C */
......@@ -1500,7 +1500,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA1_C)
{ TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA",
POLARSSL_CIPHER_DES_EDE3_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
#endif /* POLARSSL_SHA1_C */
......@@ -1511,7 +1511,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA1_C)
{ TLS_RSA_PSK_WITH_RC4_128_SHA, "TLS-RSA-PSK-WITH-RC4-128-SHA",
POLARSSL_CIPHER_ARC4_128, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
#endif /* POLARSSL_SHA1_C */
......@@ -1628,7 +1628,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA1_C)
{ TLS_RSA_PSK_WITH_NULL_SHA, "TLS-RSA-PSK-WITH-NULL-SHA",
POLARSSL_CIPHER_NULL, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_WEAK },
#endif /* POLARSSL_SHA1_C */
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment