Remove DHE ciphers from defaults list
Since DHE does not allow negotiation of the group used, it is pretty
broken. ECDHE at least allows the negotiation of the group which allows
its security to be maintained with configuration changes in the client
or server.
This tracks a change in Conscrypt merged in
906cfad7e08fd339be06441ff42960743f95053c
Test: cts-tradefed run cts -m CtsLibcoreOkHttpTestCases -a arm64-v8a
Test: cts-tradefed run cts -m CtsLibcoreTestCases -a arm64-v8a
Test: make docs
Test: visual inspection of docs output in web browser
Change-Id: Ic90297bf6b1c82af192a887797238ad250e3d1ce
diff --git a/ojluni/src/main/java/javax/net/ssl/SSLEngine.java b/ojluni/src/main/java/javax/net/ssl/SSLEngine.java
index c4b3df0..2bf28b1 100644
--- a/ojluni/src/main/java/javax/net/ssl/SSLEngine.java
+++ b/ojluni/src/main/java/javax/net/ssl/SSLEngine.java
@@ -563,35 +563,35 @@
* <td>1–8</td>
* <td>1–8</td>
* </tr>
- * <tr>
+ * <tr class="deprecated">
* <td>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</td>
- * <td>9+</td>
- * <td>9+</td>
+ * <td>9–TBD</td>
+ * <td>9–TBD</td>
* </tr>
- * <tr>
+ * <tr class="deprecated">
* <td>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</td>
- * <td>20+</td>
+ * <td>20–TBD</td>
* <td></td>
* </tr>
- * <tr>
+ * <tr class="deprecated">
* <td>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</td>
- * <td>20+</td>
- * <td>20+</td>
+ * <td>20–TBD</td>
+ * <td>20–TBD</td>
* </tr>
- * <tr>
+ * <tr class="deprecated">
* <td>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</td>
- * <td>9+</td>
- * <td>20+</td>
+ * <td>9–TBD</td>
+ * <td>20–TBD</td>
* </tr>
- * <tr>
+ * <tr class="deprecated">
* <td>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</td>
- * <td>20+</td>
+ * <td>20–TBD</td>
* <td></td>
* </tr>
- * <tr>
+ * <tr class="deprecated">
* <td>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</td>
- * <td>20+</td>
- * <td>20+</td>
+ * <td>20–TBD</td>
+ * <td>20–TBD</td>
* </tr>
* <tr class="deprecated">
* <td>TLS_DHE_RSA_WITH_DES_CBC_SHA</td>
diff --git a/ojluni/src/main/java/javax/net/ssl/SSLSocket.java b/ojluni/src/main/java/javax/net/ssl/SSLSocket.java
index 093f2d9..0528cca 100644
--- a/ojluni/src/main/java/javax/net/ssl/SSLSocket.java
+++ b/ojluni/src/main/java/javax/net/ssl/SSLSocket.java
@@ -353,35 +353,35 @@
* <td>20–22</td>
* <td></td>
* </tr>
- * <tr>
+ * <tr class="deprecated">
* <td>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</td>
- * <td>9+</td>
- * <td>9+</td>
+ * <td>9–TBD</td>
+ * <td>9–TBD</td>
* </tr>
- * <tr>
+ * <tr class="deprecated">
* <td>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</td>
- * <td>20+</td>
+ * <td>20–TBD</td>
* <td></td>
* </tr>
- * <tr>
+ * <tr class="deprecated">
* <td>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</td>
- * <td>20+</td>
- * <td>20+</td>
+ * <td>20–TBD</td>
+ * <td>20–TBD</td>
* </tr>
- * <tr>
+ * <tr class="deprecated">
* <td>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</td>
- * <td>9+</td>
- * <td>11+</td>
+ * <td>9–TBD</td>
+ * <td>11–TBD</td>
* </tr>
- * <tr>
+ * <tr class="deprecated">
* <td>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</td>
- * <td>20+</td>
+ * <td>20–TBD</td>
* <td></td>
* </tr>
- * <tr>
+ * <tr class="deprecated">
* <td>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</td>
- * <td>20+</td>
- * <td>20+</td>
+ * <td>20–TBD</td>
+ * <td>20–TBD</td>
* </tr>
* <tr class="deprecated">
* <td>TLS_DH_anon_WITH_AES_128_CBC_SHA</td>
diff --git a/support/src/test/java/libcore/java/security/StandardNames.java b/support/src/test/java/libcore/java/security/StandardNames.java
index 8bc9937..db5d0b1 100644
--- a/support/src/test/java/libcore/java/security/StandardNames.java
+++ b/support/src/test/java/libcore/java/security/StandardNames.java
@@ -783,11 +783,9 @@
addBoth( "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA");
addBoth( "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA");
addBoth( "TLS_RSA_WITH_AES_256_CBC_SHA");
- addBoth( "TLS_DHE_RSA_WITH_AES_256_CBC_SHA");
addBoth( "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA");
addBoth( "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA");
addBoth( "TLS_RSA_WITH_AES_128_CBC_SHA");
- addBoth( "TLS_DHE_RSA_WITH_AES_128_CBC_SHA");
addBoth( "SSL_RSA_WITH_3DES_EDE_CBC_SHA");
// TLSv1.2 cipher suites
@@ -795,10 +793,6 @@
addBoth( "TLS_RSA_WITH_AES_256_CBC_SHA256");
addOpenSsl("TLS_RSA_WITH_AES_128_GCM_SHA256");
addOpenSsl("TLS_RSA_WITH_AES_256_GCM_SHA384");
- addBoth( "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256");
- addBoth( "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256");
- addOpenSsl("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256");
- addOpenSsl("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384");
addBoth( "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256");
addBoth( "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384");
addOpenSsl("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
@@ -856,11 +850,11 @@
addRi( "SSL_RSA_WITH_RC4_128_MD5");
// Dropped
- addNeither("SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA");
- addNeither("SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA");
addRi( "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA");
addRi( "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA");
addRi( "SSL_DHE_RSA_WITH_DES_CBC_SHA");
+ addNeither("SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA");
+ addNeither("SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA");
addRi( "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA");
addRi( "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5");
addRi( "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA");
@@ -871,6 +865,12 @@
addRi( "SSL_RSA_WITH_DES_CBC_SHA");
addRi( "SSL_RSA_WITH_NULL_MD5");
addRi( "SSL_RSA_WITH_NULL_SHA");
+ addRi( "TLS_DHE_RSA_WITH_AES_128_CBC_SHA");
+ addRi( "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256");
+ addNeither("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256");
+ addNeither("TLS_DHE_RSA_WITH_AES_128_GCM_SHA384");
+ addRi( "TLS_DHE_RSA_WITH_AES_256_CBC_SHA");
+ addRi( "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256");
addRi( "TLS_DH_anon_WITH_AES_128_CBC_SHA");
addRi( "TLS_DH_anon_WITH_AES_128_CBC_SHA256");
addNeither("TLS_DH_anon_WITH_AES_128_GCM_SHA256");
@@ -945,14 +945,10 @@
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
- "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
- "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
- "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
- "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA",
@@ -969,14 +965,10 @@
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
- "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
- "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
- "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
- "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA",