Skip to content

Commit af57f9a

Browse files
daurnimatordaurnimator
committed
http/tls.lua: Index banned_ciphers by standard cipher name
This alleviates the need for our own standard name to openssl name map for ciphers.
1 parent cd9ff6b commit af57f9a

File tree

4 files changed

+6
-350
lines changed

4 files changed

+6
-350
lines changed

NEWS

+1
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ UNRELEASED
44
- Fix incorrect timeout handling in `websocket:receive()`
55
- Add workaround to allow being required in openresty (#98)
66
- Add http.tls.old_cipher_list (#112)
7+
- Change http.tls.banned_ciphers to be indexed by standard cipher name (#116)
78

89

910
0.2 - 2017-05-28

doc/modules/http.tls.md

+1-3
Original file line numberDiff line numberDiff line change
@@ -31,9 +31,7 @@ The [Mozilla "Old" cipher list](https://wiki.mozilla.org/Security/Server_Side_TL
3131

3232
### `banned_ciphers` <!-- --> {#http.tls.banned_ciphers}
3333

34-
A set (table with string keys and values of `true`) of the [ciphers banned in HTTP 2](https://http2.github.io/http2-spec/#BadCipherSuites) where the keys are OpenSSL cipher names.
35-
36-
Ciphers not known by OpenSSL are missing from the set.
34+
A set (table with string keys and values of `true`) of the [ciphers banned in HTTP 2](https://http2.github.io/http2-spec/#BadCipherSuites) where the keys are standard cipher names.
3735

3836

3937
### `new_client_context()` <!-- --> {#http.tls.new_client_context}

http/h2_connection.lua

+3-2
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ local cqueues = require "cqueues"
22
local monotime = cqueues.monotime
33
local cc = require "cqueues.condition"
44
local ce = require "cqueues.errno"
5+
local openssl_ciphers = require "openssl.ciphers"
56
local rand = require "openssl.rand"
67
local new_fifo = require "fifo"
78
local band = require "http.bit".band
@@ -102,8 +103,8 @@ local function new_connection(socket, conn_type, settings)
102103
local ssl = socket:checktls()
103104
if ssl then
104105
local cipher = ssl:getCipherInfo()
105-
if h2_banned_ciphers[cipher.name] then
106-
h2_error.errors.INADEQUATE_SECURITY("bad cipher: " .. cipher.name)
106+
if h2_banned_ciphers[cipher.standard_name] then
107+
h2_error.errors.INADEQUATE_SECURITY("bad cipher: " .. cipher.standard_name)
107108
end
108109
end
109110

http/tls.lua

+1-345
Original file line numberDiff line numberDiff line change
@@ -119,347 +119,6 @@ local old_cipher_list = cipher_list {
119119
"!SRP";
120120
}
121121

122-
-- A map from the cipher identifiers used in specifications to
123-
-- the identifiers used by OpenSSL.
124-
local spec_to_openssl = {
125-
-- SSL cipher suites
126-
127-
SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA = "DH-DSS-DES-CBC3-SHA";
128-
SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA = "DH-RSA-DES-CBC3-SHA";
129-
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA = "DHE-DSS-DES-CBC3-SHA";
130-
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA = "DHE-RSA-DES-CBC3-SHA";
131-
132-
SSL_DH_anon_WITH_RC4_128_MD5 = "ADH-RC4-MD5";
133-
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA = "ADH-DES-CBC3-SHA";
134-
135-
136-
-- TLS v1.0 cipher suites.
137-
138-
TLS_RSA_WITH_NULL_MD5 = "NULL-MD5";
139-
TLS_RSA_WITH_NULL_SHA = "NULL-SHA";
140-
TLS_RSA_WITH_RC4_128_MD5 = "RC4-MD5";
141-
TLS_RSA_WITH_RC4_128_SHA = "RC4-SHA";
142-
TLS_RSA_WITH_IDEA_CBC_SHA = "IDEA-CBC-SHA";
143-
TLS_RSA_WITH_DES_CBC_SHA = "DES-CBC-SHA";
144-
TLS_RSA_WITH_3DES_EDE_CBC_SHA = "DES-CBC3-SHA";
145-
146-
TLS_DH_DSS_WITH_DES_CBC_SHA = "DH-DSS-DES-CBC-SHA";
147-
TLS_DH_RSA_WITH_DES_CBC_SHA = "DH-RSA-DES-CBC-SHA";
148-
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = "DH-DSS-DES-CBC3-SHA";
149-
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = "DH-RSA-DES-CBC3-SHA";
150-
TLS_DHE_DSS_WITH_DES_CBC_SHA = "EDH-DSS-DES-CBC-SHA";
151-
TLS_DHE_RSA_WITH_DES_CBC_SHA = "EDH-RSA-DES-CBC-SHA";
152-
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = "DHE-DSS-DES-CBC3-SHA";
153-
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = "DHE-RSA-DES-CBC3-SHA";
154-
155-
TLS_DH_anon_WITH_RC4_128_MD5 = "ADH-RC4-MD5";
156-
TLS_DH_anon_WITH_DES_CBC_SHA = "ADH-DES-CBC-SHA";
157-
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = "ADH-DES-CBC3-SHA";
158-
159-
160-
-- AES ciphersuites from RFC3268, extending TLS v1.0
161-
162-
TLS_RSA_WITH_AES_128_CBC_SHA = "AES128-SHA";
163-
TLS_RSA_WITH_AES_256_CBC_SHA = "AES256-SHA";
164-
165-
TLS_DH_DSS_WITH_AES_128_CBC_SHA = "DH-DSS-AES128-SHA";
166-
TLS_DH_DSS_WITH_AES_256_CBC_SHA = "DH-DSS-AES256-SHA";
167-
TLS_DH_RSA_WITH_AES_128_CBC_SHA = "DH-RSA-AES128-SHA";
168-
TLS_DH_RSA_WITH_AES_256_CBC_SHA = "DH-RSA-AES256-SHA";
169-
170-
TLS_DHE_DSS_WITH_AES_128_CBC_SHA = "DHE-DSS-AES128-SHA";
171-
TLS_DHE_DSS_WITH_AES_256_CBC_SHA = "DHE-DSS-AES256-SHA";
172-
TLS_DHE_RSA_WITH_AES_128_CBC_SHA = "DHE-RSA-AES128-SHA";
173-
TLS_DHE_RSA_WITH_AES_256_CBC_SHA = "DHE-RSA-AES256-SHA";
174-
175-
TLS_DH_anon_WITH_AES_128_CBC_SHA = "ADH-AES128-SHA";
176-
TLS_DH_anon_WITH_AES_256_CBC_SHA = "ADH-AES256-SHA";
177-
178-
179-
-- Camellia ciphersuites from RFC4132, extending TLS v1.0
180-
181-
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = "CAMELLIA128-SHA";
182-
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = "CAMELLIA256-SHA";
183-
184-
TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = "DH-DSS-CAMELLIA128-SHA";
185-
TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = "DH-DSS-CAMELLIA256-SHA";
186-
TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = "DH-RSA-CAMELLIA128-SHA";
187-
TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = "DH-RSA-CAMELLIA256-SHA";
188-
189-
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = "DHE-DSS-CAMELLIA128-SHA";
190-
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = "DHE-DSS-CAMELLIA256-SHA";
191-
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = "DHE-RSA-CAMELLIA128-SHA";
192-
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = "DHE-RSA-CAMELLIA256-SHA";
193-
194-
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = "ADH-CAMELLIA128-SHA";
195-
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = "ADH-CAMELLIA256-SHA";
196-
197-
198-
-- SEED ciphersuites from RFC4162, extending TLS v1.0
199-
200-
TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA";
201-
202-
TLS_DH_DSS_WITH_SEED_CBC_SHA = "DH-DSS-SEED-SHA";
203-
TLS_DH_RSA_WITH_SEED_CBC_SHA = "DH-RSA-SEED-SHA";
204-
205-
TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA";
206-
TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA";
207-
208-
TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA";
209-
210-
211-
-- GOST ciphersuites from draft-chudov-cryptopro-cptls, extending TLS v1.0
212-
213-
TLS_GOSTR341094_WITH_28147_CNT_IMIT = "GOST94-GOST89-GOST89";
214-
TLS_GOSTR341001_WITH_28147_CNT_IMIT = "GOST2001-GOST89-GOST89";
215-
TLS_GOSTR341094_WITH_NULL_GOSTR3411 = "GOST94-NULL-GOST94";
216-
TLS_GOSTR341001_WITH_NULL_GOSTR3411 = "GOST2001-NULL-GOST94";
217-
218-
-- Additional Export 1024 and other cipher suites
219-
220-
TLS_DHE_DSS_WITH_RC4_128_SHA = "DHE-DSS-RC4-SHA";
221-
222-
223-
-- Elliptic curve cipher suites.
224-
225-
TLS_ECDH_RSA_WITH_NULL_SHA = "ECDH-RSA-NULL-SHA";
226-
TLS_ECDH_RSA_WITH_RC4_128_SHA = "ECDH-RSA-RC4-SHA";
227-
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = "ECDH-RSA-DES-CBC3-SHA";
228-
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = "ECDH-RSA-AES128-SHA";
229-
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = "ECDH-RSA-AES256-SHA";
230-
231-
TLS_ECDH_ECDSA_WITH_NULL_SHA = "ECDH-ECDSA-NULL-SHA";
232-
TLS_ECDH_ECDSA_WITH_RC4_128_SHA = "ECDH-ECDSA-RC4-SHA";
233-
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = "ECDH-ECDSA-DES-CBC3-SHA";
234-
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = "ECDH-ECDSA-AES128-SHA";
235-
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = "ECDH-ECDSA-AES256-SHA";
236-
237-
TLS_ECDHE_RSA_WITH_NULL_SHA = "ECDHE-RSA-NULL-SHA";
238-
TLS_ECDHE_RSA_WITH_RC4_128_SHA = "ECDHE-RSA-RC4-SHA";
239-
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = "ECDHE-RSA-DES-CBC3-SHA";
240-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = "ECDHE-RSA-AES128-SHA";
241-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = "ECDHE-RSA-AES256-SHA";
242-
243-
TLS_ECDHE_ECDSA_WITH_NULL_SHA = "ECDHE-ECDSA-NULL-SHA";
244-
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = "ECDHE-ECDSA-RC4-SHA";
245-
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = "ECDHE-ECDSA-DES-CBC3-SHA";
246-
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = "ECDHE-ECDSA-AES128-SHA";
247-
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = "ECDHE-ECDSA-AES256-SHA";
248-
249-
TLS_ECDH_anon_WITH_NULL_SHA = "AECDH-NULL-SHA";
250-
TLS_ECDH_anon_WITH_RC4_128_SHA = "AECDH-RC4-SHA";
251-
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = "AECDH-DES-CBC3-SHA";
252-
TLS_ECDH_anon_WITH_AES_128_CBC_SHA = "AECDH-AES128-SHA";
253-
TLS_ECDH_anon_WITH_AES_256_CBC_SHA = "AECDH-AES256-SHA";
254-
255-
256-
-- TLS v1.2 cipher suites
257-
258-
TLS_RSA_WITH_NULL_SHA256 = "NULL-SHA256";
259-
260-
TLS_RSA_WITH_AES_128_CBC_SHA256 = "AES128-SHA256";
261-
TLS_RSA_WITH_AES_256_CBC_SHA256 = "AES256-SHA256";
262-
TLS_RSA_WITH_AES_128_GCM_SHA256 = "AES128-GCM-SHA256";
263-
TLS_RSA_WITH_AES_256_GCM_SHA384 = "AES256-GCM-SHA384";
264-
265-
TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = "DH-RSA-AES128-SHA256";
266-
TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = "DH-RSA-AES256-SHA256";
267-
TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = "DH-RSA-AES128-GCM-SHA256";
268-
TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = "DH-RSA-AES256-GCM-SHA384";
269-
270-
TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = "DH-DSS-AES128-SHA256";
271-
TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = "DH-DSS-AES256-SHA256";
272-
TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = "DH-DSS-AES128-GCM-SHA256";
273-
TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = "DH-DSS-AES256-GCM-SHA384";
274-
275-
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = "DHE-RSA-AES128-SHA256";
276-
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = "DHE-RSA-AES256-SHA256";
277-
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = "DHE-RSA-AES128-GCM-SHA256";
278-
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = "DHE-RSA-AES256-GCM-SHA384";
279-
280-
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = "DHE-DSS-AES128-SHA256";
281-
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = "DHE-DSS-AES256-SHA256";
282-
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = "DHE-DSS-AES128-GCM-SHA256";
283-
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = "DHE-DSS-AES256-GCM-SHA384";
284-
285-
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = "ECDH-RSA-AES128-SHA256";
286-
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = "ECDH-RSA-AES256-SHA384";
287-
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = "ECDH-RSA-AES128-GCM-SHA256";
288-
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = "ECDH-RSA-AES256-GCM-SHA384";
289-
290-
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = "ECDH-ECDSA-AES128-SHA256";
291-
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = "ECDH-ECDSA-AES256-SHA384";
292-
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = "ECDH-ECDSA-AES128-GCM-SHA256";
293-
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = "ECDH-ECDSA-AES256-GCM-SHA384";
294-
295-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = "ECDHE-RSA-AES128-SHA256";
296-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = "ECDHE-RSA-AES256-SHA384";
297-
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = "ECDHE-RSA-AES128-GCM-SHA256";
298-
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = "ECDHE-RSA-AES256-GCM-SHA384";
299-
300-
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = "ECDHE-ECDSA-AES128-SHA256";
301-
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = "ECDHE-ECDSA-AES256-SHA384";
302-
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = "ECDHE-ECDSA-AES128-GCM-SHA256";
303-
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = "ECDHE-ECDSA-AES256-GCM-SHA384";
304-
305-
TLS_DH_anon_WITH_AES_128_CBC_SHA256 = "ADH-AES128-SHA256";
306-
TLS_DH_anon_WITH_AES_256_CBC_SHA256 = "ADH-AES256-SHA256";
307-
TLS_DH_anon_WITH_AES_128_GCM_SHA256 = "ADH-AES128-GCM-SHA256";
308-
TLS_DH_anon_WITH_AES_256_GCM_SHA384 = "ADH-AES256-GCM-SHA384";
309-
310-
TLS_RSA_WITH_AES_128_CCM = "AES128-CCM";
311-
TLS_RSA_WITH_AES_256_CCM = "AES256-CCM";
312-
TLS_DHE_RSA_WITH_AES_128_CCM = "DHE-RSA-AES128-CCM";
313-
TLS_DHE_RSA_WITH_AES_256_CCM = "DHE-RSA-AES256-CCM";
314-
TLS_RSA_WITH_AES_128_CCM_8 = "AES128-CCM8";
315-
TLS_RSA_WITH_AES_256_CCM_8 = "AES256-CCM8";
316-
TLS_DHE_RSA_WITH_AES_128_CCM_8 = "DHE-RSA-AES128-CCM8";
317-
TLS_DHE_RSA_WITH_AES_256_CCM_8 = "DHE-RSA-AES256-CCM8";
318-
TLS_ECDHE_ECDSA_WITH_AES_128_CCM = "ECDHE-ECDSA-AES128-CCM";
319-
TLS_ECDHE_ECDSA_WITH_AES_256_CCM = "ECDHE-ECDSA-AES256-CCM";
320-
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = "ECDHE-ECDSA-AES128-CCM8";
321-
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = "ECDHE-ECDSA-AES256-CCM8";
322-
323-
324-
-- Camellia HMAC-Based ciphersuites from RFC6367, extending TLS v1.2
325-
326-
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = "ECDHE-ECDSA-CAMELLIA128-SHA256";
327-
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = "ECDHE-ECDSA-CAMELLIA256-SHA384";
328-
TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = "ECDH-ECDSA-CAMELLIA128-SHA256";
329-
TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = "ECDH-ECDSA-CAMELLIA256-SHA384";
330-
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = "ECDHE-RSA-CAMELLIA128-SHA256";
331-
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 = "ECDHE-RSA-CAMELLIA256-SHA384";
332-
TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = "ECDH-RSA-CAMELLIA128-SHA256";
333-
TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 = "ECDH-RSA-CAMELLIA256-SHA384";
334-
335-
336-
-- Pre shared keying (PSK) ciphersuites
337-
338-
TLS_PSK_WITH_NULL_SHA = "PSK-NULL-SHA";
339-
TLS_DHE_PSK_WITH_NULL_SHA = "DHE-PSK-NULL-SHA";
340-
TLS_RSA_PSK_WITH_NULL_SHA = "RSA-PSK-NULL-SHA";
341-
342-
TLS_PSK_WITH_RC4_128_SHA = "PSK-RC4-SHA";
343-
TLS_PSK_WITH_3DES_EDE_CBC_SHA = "PSK-3DES-EDE-CBC-SHA";
344-
TLS_PSK_WITH_AES_128_CBC_SHA = "PSK-AES128-CBC-SHA";
345-
TLS_PSK_WITH_AES_256_CBC_SHA = "PSK-AES256-CBC-SHA";
346-
347-
TLS_DHE_PSK_WITH_RC4_128_SHA = "DHE-PSK-RC4-SHA";
348-
TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = "DHE-PSK-3DES-EDE-CBC-SHA";
349-
TLS_DHE_PSK_WITH_AES_128_CBC_SHA = "DHE-PSK-AES128-CBC-SHA";
350-
TLS_DHE_PSK_WITH_AES_256_CBC_SHA = "DHE-PSK-AES256-CBC-SHA";
351-
352-
TLS_RSA_PSK_WITH_RC4_128_SHA = "RSA-PSK-RC4-SHA";
353-
TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = "RSA-PSK-3DES-EDE-CBC-SHA";
354-
TLS_RSA_PSK_WITH_AES_128_CBC_SHA = "RSA-PSK-AES128-CBC-SHA";
355-
TLS_RSA_PSK_WITH_AES_256_CBC_SHA = "RSA-PSK-AES256-CBC-SHA";
356-
357-
TLS_PSK_WITH_AES_128_GCM_SHA256 = "PSK-AES128-GCM-SHA256";
358-
TLS_PSK_WITH_AES_256_GCM_SHA384 = "PSK-AES256-GCM-SHA384";
359-
TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = "DHE-PSK-AES128-GCM-SHA256";
360-
TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = "DHE-PSK-AES256-GCM-SHA384";
361-
TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = "RSA-PSK-AES128-GCM-SHA256";
362-
TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = "RSA-PSK-AES256-GCM-SHA384";
363-
TLS_PSK_WITH_AES_128_CBC_SHA256 = "PSK-AES128-CBC-SHA256";
364-
TLS_PSK_WITH_AES_256_CBC_SHA384 = "PSK-AES256-CBC-SHA384";
365-
TLS_PSK_WITH_NULL_SHA256 = "PSK-NULL-SHA256";
366-
TLS_PSK_WITH_NULL_SHA384 = "PSK-NULL-SHA384";
367-
TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = "DHE-PSK-AES128-CBC-SHA256";
368-
TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = "DHE-PSK-AES256-CBC-SHA384";
369-
TLS_DHE_PSK_WITH_NULL_SHA256 = "DHE-PSK-NULL-SHA256";
370-
TLS_DHE_PSK_WITH_NULL_SHA384 = "DHE-PSK-NULL-SHA384";
371-
TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = "RSA-PSK-AES128-CBC-SHA256";
372-
TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = "RSA-PSK-AES256-CBC-SHA384";
373-
TLS_RSA_PSK_WITH_NULL_SHA256 = "RSA-PSK-NULL-SHA256";
374-
TLS_RSA_PSK_WITH_NULL_SHA384 = "RSA-PSK-NULL-SHA384";
375-
376-
TLS_ECDHE_PSK_WITH_RC4_128_SHA = "ECDHE-PSK-RC4-SHA";
377-
TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = "ECDHE-PSK-3DES-EDE-CBC-SHA";
378-
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = "ECDHE-PSK-AES128-CBC-SHA";
379-
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = "ECDHE-PSK-AES256-CBC-SHA";
380-
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = "ECDHE-PSK-AES128-CBC-SHA256";
381-
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = "ECDHE-PSK-AES256-CBC-SHA384";
382-
TLS_ECDHE_PSK_WITH_NULL_SHA = "ECDHE-PSK-NULL-SHA";
383-
TLS_ECDHE_PSK_WITH_NULL_SHA256 = "ECDHE-PSK-NULL-SHA256";
384-
TLS_ECDHE_PSK_WITH_NULL_SHA384 = "ECDHE-PSK-NULL-SHA384";
385-
386-
TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 = "PSK-CAMELLIA128-SHA256";
387-
TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 = "PSK-CAMELLIA256-SHA384";
388-
389-
TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = "DHE-PSK-CAMELLIA128-SHA256";
390-
TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = "DHE-PSK-CAMELLIA256-SHA384";
391-
392-
TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 = "RSA-PSK-CAMELLIA128-SHA256";
393-
TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 = "RSA-PSK-CAMELLIA256-SHA384";
394-
395-
TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = "ECDHE-PSK-CAMELLIA128-SHA256";
396-
TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = "ECDHE-PSK-CAMELLIA256-SHA384";
397-
398-
TLS_PSK_WITH_AES_128_CCM = "PSK-AES128-CCM";
399-
TLS_PSK_WITH_AES_256_CCM = "PSK-AES256-CCM";
400-
TLS_DHE_PSK_WITH_AES_128_CCM = "DHE-PSK-AES128-CCM";
401-
TLS_DHE_PSK_WITH_AES_256_CCM = "DHE-PSK-AES256-CCM";
402-
TLS_PSK_WITH_AES_128_CCM_8 = "PSK-AES128-CCM8";
403-
TLS_PSK_WITH_AES_256_CCM_8 = "PSK-AES256-CCM8";
404-
TLS_DHE_PSK_WITH_AES_128_CCM_8 = "DHE-PSK-AES128-CCM8";
405-
TLS_DHE_PSK_WITH_AES_256_CCM_8 = "DHE-PSK-AES256-CCM8";
406-
407-
408-
-- Export ciphers
409-
410-
TLS_RSA_EXPORT_WITH_RC4_40_MD5 = "EXP-RC4-MD5";
411-
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = "EXP-RC2-CBC-MD5";
412-
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = "EXP-DES-CBC-SHA";
413-
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = "EXP-ADH-DES-CBC-SHA";
414-
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = "EXP-ADH-RC4-MD5";
415-
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = "EXP-EDH-RSA-DES-CBC-SHA";
416-
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = "EXP-EDH-DSS-DES-CBC-SHA";
417-
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = "EXP-DH-DSS-DES-CBC-SHA";
418-
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = "EXP-DH-RSA-DES-CBC-SHA";
419-
420-
421-
-- KRB5
422-
423-
TLS_KRB5_WITH_DES_CBC_SHA = "KRB5-DES-CBC-SHA";
424-
TLS_KRB5_WITH_3DES_EDE_CBC_SHA = "KRB5-DES-CBC3-SHA";
425-
TLS_KRB5_WITH_RC4_128_SHA = "KRB5-RC4-SHA";
426-
TLS_KRB5_WITH_IDEA_CBC_SHA = "KRB5-IDEA-CBC-SHA";
427-
TLS_KRB5_WITH_DES_CBC_MD5 = "KRB5-DES-CBC-MD5";
428-
TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = "KRB5-DES-CBC3-MD5";
429-
TLS_KRB5_WITH_RC4_128_MD5 = "KRB5-RC4-MD5";
430-
TLS_KRB5_WITH_IDEA_CBC_MD5 = "KRB5-IDEA-CBC-MD5";
431-
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = "EXP-KRB5-DES-CBC-SHA";
432-
TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = "EXP-KRB5-RC2-CBC-SHA";
433-
TLS_KRB5_EXPORT_WITH_RC4_40_SHA = "EXP-KRB5-RC4-SHA";
434-
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = "EXP-KRB5-DES-CBC-MD5";
435-
TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = "EXP-KRB5-RC2-CBC-MD5";
436-
TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = "EXP-KRB5-RC4-MD5";
437-
438-
439-
-- SRP5
440-
441-
TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = "SRP-3DES-EDE-CBC-SHA";
442-
TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = "SRP-RSA-3DES-EDE-CBC-SHA";
443-
TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA = "SRP-DSS-3DES-EDE-CBC-SHA";
444-
TLS_SRP_SHA_WITH_AES_128_CBC_SHA = "SRP-AES-128-CBC-SHA";
445-
TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = "SRP-RSA-AES-128-CBC-SHA";
446-
TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA = "SRP-DSS-AES-128-CBC-SHA";
447-
TLS_SRP_SHA_WITH_AES_256_CBC_SHA = "SRP-AES-256-CBC-SHA";
448-
TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = "SRP-RSA-AES-256-CBC-SHA";
449-
TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA = "SRP-DSS-AES-256-CBC-SHA";
450-
451-
452-
-- CHACHA20+POLY1305
453-
454-
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = "ECDHE-RSA-CHACHA20-POLY1305";
455-
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = "ECDHE-ECDSA-CHACHA20-POLY1305";
456-
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = "DHE-RSA-CHACHA20-POLY1305";
457-
TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 = "PSK-CHACHA20-POLY1305";
458-
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = "ECDHE-PSK-CHACHA20-POLY1305";
459-
TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = "DHE-PSK-CHACHA20-POLY1305";
460-
TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 = "RSA-PSK-CHACHA20-POLY1305";
461-
}
462-
463122
-- Banned ciphers from https://http2.github.io/http2-spec/#BadCipherSuites
464123
local banned_ciphers = {}
465124
for _, v in ipairs {
@@ -740,10 +399,7 @@ for _, v in ipairs {
740399
"TLS_PSK_WITH_AES_128_CCM_8";
741400
"TLS_PSK_WITH_AES_256_CCM_8";
742401
} do
743-
local openssl_cipher_name = spec_to_openssl[v]
744-
if openssl_cipher_name then
745-
banned_ciphers[openssl_cipher_name] = true
746-
end
402+
banned_ciphers[v] = true
747403
end
748404

749405
local default_tls_options = openssl_ctx.OP_NO_COMPRESSION

0 commit comments

Comments
 (0)