Blame SOURCES/nss-disable-cipher-suites.patch

5f1c2b
diff -up nss/lib/ssl/ssl3con.c.disable-cipher-suites nss/lib/ssl/ssl3con.c
e4d72e
--- nss/lib/ssl/ssl3con.c.disable-cipher-suites	2019-03-21 14:24:14.660150519 +0100
e4d72e
+++ nss/lib/ssl/ssl3con.c	2019-03-21 14:25:12.997929443 +0100
e4d72e
@@ -96,7 +96,10 @@ static ssl3CipherSuiteCfg cipherSuites[s
5f1c2b
  { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
c6cc0b
  { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
5f1c2b
  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
5f1c2b
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
5f1c2b
+ /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 is disabled by default.
5f1c2b
+  * The GCM variant is preferred for new applications.
5f1c2b
+  */
5f1c2b
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
5f1c2b
  { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
5f1c2b
  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
e4d72e
  { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
e4d72e
@@ -105,7 +108,10 @@ static ssl3CipherSuiteCfg cipherSuites[s
5f1c2b
  { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
c6cc0b
  { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
5f1c2b
  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
5f1c2b
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
5f1c2b
+ /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is disabled by default.
5f1c2b
+  * The GCM variant is preferred for new applications.
5f1c2b
+  */
5f1c2b
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
5f1c2b
  { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
5f1c2b
  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
e4d72e
  { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},