Skip to content

Commit

Permalink
http/tls.lua: Index banned_ciphers by standard name
Browse files Browse the repository at this point in the history
This alleviates the need for our own standard name to openssl name map for ciphers.
Requires wahern/luaossl#142
  • Loading branch information
daurnimator committed Jul 13, 2018
1 parent cd9ff6b commit 2b834cd
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 350 deletions.
4 changes: 1 addition & 3 deletions doc/modules/http.tls.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,7 @@ The [Mozilla "Old" cipher list](https://wiki.mozilla.org/Security/Server_Side_TL

### `banned_ciphers` <!-- --> {#http.tls.banned_ciphers}

A set (table with string keys and values of `true`) of the [ciphers banned in HTTP 2](https://http2.github.io/http2-spec/#BadCipherSuites) where the keys are OpenSSL cipher names.

Ciphers not known by OpenSSL are missing from the set.
A set (table with string keys and values of `true`) of the [ciphers banned in HTTP 2](https://http2.github.io/http2-spec/#BadCipherSuites) where the keys are standard cipher names.


### `new_client_context()` <!-- --> {#http.tls.new_client_context}
Expand Down
5 changes: 3 additions & 2 deletions http/h2_connection.lua
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ local cqueues = require "cqueues"
local monotime = cqueues.monotime
local cc = require "cqueues.condition"
local ce = require "cqueues.errno"
local openssl_ciphers = require "openssl.ciphers"
local rand = require "openssl.rand"
local new_fifo = require "fifo"
local band = require "http.bit".band
Expand Down Expand Up @@ -102,8 +103,8 @@ local function new_connection(socket, conn_type, settings)
local ssl = socket:checktls()
if ssl then
local cipher = ssl:getCipherInfo()
if h2_banned_ciphers[cipher.name] then
h2_error.errors.INADEQUATE_SECURITY("bad cipher: " .. cipher.name)
if h2_banned_ciphers[cipher.standard_name] then
h2_error.errors.INADEQUATE_SECURITY("bad cipher: " .. cipher.standard_name)
end
end

Expand Down
346 changes: 1 addition & 345 deletions http/tls.lua
Original file line number Diff line number Diff line change
Expand Up @@ -119,347 +119,6 @@ local old_cipher_list = cipher_list {
"!SRP";
}

-- A map from the cipher identifiers used in specifications to
-- the identifiers used by OpenSSL.
local spec_to_openssl = {
-- SSL cipher suites

SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA = "DH-DSS-DES-CBC3-SHA";
SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA = "DH-RSA-DES-CBC3-SHA";
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA = "DHE-DSS-DES-CBC3-SHA";
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA = "DHE-RSA-DES-CBC3-SHA";

SSL_DH_anon_WITH_RC4_128_MD5 = "ADH-RC4-MD5";
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA = "ADH-DES-CBC3-SHA";


-- TLS v1.0 cipher suites.

TLS_RSA_WITH_NULL_MD5 = "NULL-MD5";
TLS_RSA_WITH_NULL_SHA = "NULL-SHA";
TLS_RSA_WITH_RC4_128_MD5 = "RC4-MD5";
TLS_RSA_WITH_RC4_128_SHA = "RC4-SHA";
TLS_RSA_WITH_IDEA_CBC_SHA = "IDEA-CBC-SHA";
TLS_RSA_WITH_DES_CBC_SHA = "DES-CBC-SHA";
TLS_RSA_WITH_3DES_EDE_CBC_SHA = "DES-CBC3-SHA";

TLS_DH_DSS_WITH_DES_CBC_SHA = "DH-DSS-DES-CBC-SHA";
TLS_DH_RSA_WITH_DES_CBC_SHA = "DH-RSA-DES-CBC-SHA";
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = "DH-DSS-DES-CBC3-SHA";
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = "DH-RSA-DES-CBC3-SHA";
TLS_DHE_DSS_WITH_DES_CBC_SHA = "EDH-DSS-DES-CBC-SHA";
TLS_DHE_RSA_WITH_DES_CBC_SHA = "EDH-RSA-DES-CBC-SHA";
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = "DHE-DSS-DES-CBC3-SHA";
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = "DHE-RSA-DES-CBC3-SHA";

TLS_DH_anon_WITH_RC4_128_MD5 = "ADH-RC4-MD5";
TLS_DH_anon_WITH_DES_CBC_SHA = "ADH-DES-CBC-SHA";
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = "ADH-DES-CBC3-SHA";


-- AES ciphersuites from RFC3268, extending TLS v1.0

TLS_RSA_WITH_AES_128_CBC_SHA = "AES128-SHA";
TLS_RSA_WITH_AES_256_CBC_SHA = "AES256-SHA";

TLS_DH_DSS_WITH_AES_128_CBC_SHA = "DH-DSS-AES128-SHA";
TLS_DH_DSS_WITH_AES_256_CBC_SHA = "DH-DSS-AES256-SHA";
TLS_DH_RSA_WITH_AES_128_CBC_SHA = "DH-RSA-AES128-SHA";
TLS_DH_RSA_WITH_AES_256_CBC_SHA = "DH-RSA-AES256-SHA";

TLS_DHE_DSS_WITH_AES_128_CBC_SHA = "DHE-DSS-AES128-SHA";
TLS_DHE_DSS_WITH_AES_256_CBC_SHA = "DHE-DSS-AES256-SHA";
TLS_DHE_RSA_WITH_AES_128_CBC_SHA = "DHE-RSA-AES128-SHA";
TLS_DHE_RSA_WITH_AES_256_CBC_SHA = "DHE-RSA-AES256-SHA";

TLS_DH_anon_WITH_AES_128_CBC_SHA = "ADH-AES128-SHA";
TLS_DH_anon_WITH_AES_256_CBC_SHA = "ADH-AES256-SHA";


-- Camellia ciphersuites from RFC4132, extending TLS v1.0

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = "CAMELLIA128-SHA";
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = "CAMELLIA256-SHA";

TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = "DH-DSS-CAMELLIA128-SHA";
TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = "DH-DSS-CAMELLIA256-SHA";
TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = "DH-RSA-CAMELLIA128-SHA";
TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = "DH-RSA-CAMELLIA256-SHA";

TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = "DHE-DSS-CAMELLIA128-SHA";
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = "DHE-DSS-CAMELLIA256-SHA";
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = "DHE-RSA-CAMELLIA128-SHA";
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = "DHE-RSA-CAMELLIA256-SHA";

TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = "ADH-CAMELLIA128-SHA";
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = "ADH-CAMELLIA256-SHA";


-- SEED ciphersuites from RFC4162, extending TLS v1.0

TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA";

TLS_DH_DSS_WITH_SEED_CBC_SHA = "DH-DSS-SEED-SHA";
TLS_DH_RSA_WITH_SEED_CBC_SHA = "DH-RSA-SEED-SHA";

TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA";
TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA";

TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA";


-- GOST ciphersuites from draft-chudov-cryptopro-cptls, extending TLS v1.0

TLS_GOSTR341094_WITH_28147_CNT_IMIT = "GOST94-GOST89-GOST89";
TLS_GOSTR341001_WITH_28147_CNT_IMIT = "GOST2001-GOST89-GOST89";
TLS_GOSTR341094_WITH_NULL_GOSTR3411 = "GOST94-NULL-GOST94";
TLS_GOSTR341001_WITH_NULL_GOSTR3411 = "GOST2001-NULL-GOST94";

-- Additional Export 1024 and other cipher suites

TLS_DHE_DSS_WITH_RC4_128_SHA = "DHE-DSS-RC4-SHA";


-- Elliptic curve cipher suites.

TLS_ECDH_RSA_WITH_NULL_SHA = "ECDH-RSA-NULL-SHA";
TLS_ECDH_RSA_WITH_RC4_128_SHA = "ECDH-RSA-RC4-SHA";
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = "ECDH-RSA-DES-CBC3-SHA";
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = "ECDH-RSA-AES128-SHA";
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = "ECDH-RSA-AES256-SHA";

TLS_ECDH_ECDSA_WITH_NULL_SHA = "ECDH-ECDSA-NULL-SHA";
TLS_ECDH_ECDSA_WITH_RC4_128_SHA = "ECDH-ECDSA-RC4-SHA";
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = "ECDH-ECDSA-DES-CBC3-SHA";
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = "ECDH-ECDSA-AES128-SHA";
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = "ECDH-ECDSA-AES256-SHA";

TLS_ECDHE_RSA_WITH_NULL_SHA = "ECDHE-RSA-NULL-SHA";
TLS_ECDHE_RSA_WITH_RC4_128_SHA = "ECDHE-RSA-RC4-SHA";
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = "ECDHE-RSA-DES-CBC3-SHA";
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = "ECDHE-RSA-AES128-SHA";
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = "ECDHE-RSA-AES256-SHA";

TLS_ECDHE_ECDSA_WITH_NULL_SHA = "ECDHE-ECDSA-NULL-SHA";
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = "ECDHE-ECDSA-RC4-SHA";
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = "ECDHE-ECDSA-DES-CBC3-SHA";
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = "ECDHE-ECDSA-AES128-SHA";
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = "ECDHE-ECDSA-AES256-SHA";

TLS_ECDH_anon_WITH_NULL_SHA = "AECDH-NULL-SHA";
TLS_ECDH_anon_WITH_RC4_128_SHA = "AECDH-RC4-SHA";
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = "AECDH-DES-CBC3-SHA";
TLS_ECDH_anon_WITH_AES_128_CBC_SHA = "AECDH-AES128-SHA";
TLS_ECDH_anon_WITH_AES_256_CBC_SHA = "AECDH-AES256-SHA";


-- TLS v1.2 cipher suites

TLS_RSA_WITH_NULL_SHA256 = "NULL-SHA256";

TLS_RSA_WITH_AES_128_CBC_SHA256 = "AES128-SHA256";
TLS_RSA_WITH_AES_256_CBC_SHA256 = "AES256-SHA256";
TLS_RSA_WITH_AES_128_GCM_SHA256 = "AES128-GCM-SHA256";
TLS_RSA_WITH_AES_256_GCM_SHA384 = "AES256-GCM-SHA384";

TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = "DH-RSA-AES128-SHA256";
TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = "DH-RSA-AES256-SHA256";
TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = "DH-RSA-AES128-GCM-SHA256";
TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = "DH-RSA-AES256-GCM-SHA384";

TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = "DH-DSS-AES128-SHA256";
TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = "DH-DSS-AES256-SHA256";
TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = "DH-DSS-AES128-GCM-SHA256";
TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = "DH-DSS-AES256-GCM-SHA384";

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = "DHE-RSA-AES128-SHA256";
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = "DHE-RSA-AES256-SHA256";
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = "DHE-RSA-AES128-GCM-SHA256";
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = "DHE-RSA-AES256-GCM-SHA384";

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = "DHE-DSS-AES128-SHA256";
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = "DHE-DSS-AES256-SHA256";
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = "DHE-DSS-AES128-GCM-SHA256";
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = "DHE-DSS-AES256-GCM-SHA384";

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = "ECDH-RSA-AES128-SHA256";
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = "ECDH-RSA-AES256-SHA384";
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = "ECDH-RSA-AES128-GCM-SHA256";
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = "ECDH-RSA-AES256-GCM-SHA384";

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = "ECDH-ECDSA-AES128-SHA256";
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = "ECDH-ECDSA-AES256-SHA384";
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = "ECDH-ECDSA-AES128-GCM-SHA256";
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = "ECDH-ECDSA-AES256-GCM-SHA384";

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = "ECDHE-RSA-AES128-SHA256";
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = "ECDHE-RSA-AES256-SHA384";
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = "ECDHE-RSA-AES128-GCM-SHA256";
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = "ECDHE-RSA-AES256-GCM-SHA384";

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = "ECDHE-ECDSA-AES128-SHA256";
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = "ECDHE-ECDSA-AES256-SHA384";
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = "ECDHE-ECDSA-AES128-GCM-SHA256";
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = "ECDHE-ECDSA-AES256-GCM-SHA384";

TLS_DH_anon_WITH_AES_128_CBC_SHA256 = "ADH-AES128-SHA256";
TLS_DH_anon_WITH_AES_256_CBC_SHA256 = "ADH-AES256-SHA256";
TLS_DH_anon_WITH_AES_128_GCM_SHA256 = "ADH-AES128-GCM-SHA256";
TLS_DH_anon_WITH_AES_256_GCM_SHA384 = "ADH-AES256-GCM-SHA384";

TLS_RSA_WITH_AES_128_CCM = "AES128-CCM";
TLS_RSA_WITH_AES_256_CCM = "AES256-CCM";
TLS_DHE_RSA_WITH_AES_128_CCM = "DHE-RSA-AES128-CCM";
TLS_DHE_RSA_WITH_AES_256_CCM = "DHE-RSA-AES256-CCM";
TLS_RSA_WITH_AES_128_CCM_8 = "AES128-CCM8";
TLS_RSA_WITH_AES_256_CCM_8 = "AES256-CCM8";
TLS_DHE_RSA_WITH_AES_128_CCM_8 = "DHE-RSA-AES128-CCM8";
TLS_DHE_RSA_WITH_AES_256_CCM_8 = "DHE-RSA-AES256-CCM8";
TLS_ECDHE_ECDSA_WITH_AES_128_CCM = "ECDHE-ECDSA-AES128-CCM";
TLS_ECDHE_ECDSA_WITH_AES_256_CCM = "ECDHE-ECDSA-AES256-CCM";
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = "ECDHE-ECDSA-AES128-CCM8";
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = "ECDHE-ECDSA-AES256-CCM8";


-- Camellia HMAC-Based ciphersuites from RFC6367, extending TLS v1.2

TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = "ECDHE-ECDSA-CAMELLIA128-SHA256";
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = "ECDHE-ECDSA-CAMELLIA256-SHA384";
TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = "ECDH-ECDSA-CAMELLIA128-SHA256";
TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = "ECDH-ECDSA-CAMELLIA256-SHA384";
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = "ECDHE-RSA-CAMELLIA128-SHA256";
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 = "ECDHE-RSA-CAMELLIA256-SHA384";
TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = "ECDH-RSA-CAMELLIA128-SHA256";
TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 = "ECDH-RSA-CAMELLIA256-SHA384";


-- Pre shared keying (PSK) ciphersuites

TLS_PSK_WITH_NULL_SHA = "PSK-NULL-SHA";
TLS_DHE_PSK_WITH_NULL_SHA = "DHE-PSK-NULL-SHA";
TLS_RSA_PSK_WITH_NULL_SHA = "RSA-PSK-NULL-SHA";

TLS_PSK_WITH_RC4_128_SHA = "PSK-RC4-SHA";
TLS_PSK_WITH_3DES_EDE_CBC_SHA = "PSK-3DES-EDE-CBC-SHA";
TLS_PSK_WITH_AES_128_CBC_SHA = "PSK-AES128-CBC-SHA";
TLS_PSK_WITH_AES_256_CBC_SHA = "PSK-AES256-CBC-SHA";

TLS_DHE_PSK_WITH_RC4_128_SHA = "DHE-PSK-RC4-SHA";
TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = "DHE-PSK-3DES-EDE-CBC-SHA";
TLS_DHE_PSK_WITH_AES_128_CBC_SHA = "DHE-PSK-AES128-CBC-SHA";
TLS_DHE_PSK_WITH_AES_256_CBC_SHA = "DHE-PSK-AES256-CBC-SHA";

TLS_RSA_PSK_WITH_RC4_128_SHA = "RSA-PSK-RC4-SHA";
TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = "RSA-PSK-3DES-EDE-CBC-SHA";
TLS_RSA_PSK_WITH_AES_128_CBC_SHA = "RSA-PSK-AES128-CBC-SHA";
TLS_RSA_PSK_WITH_AES_256_CBC_SHA = "RSA-PSK-AES256-CBC-SHA";

TLS_PSK_WITH_AES_128_GCM_SHA256 = "PSK-AES128-GCM-SHA256";
TLS_PSK_WITH_AES_256_GCM_SHA384 = "PSK-AES256-GCM-SHA384";
TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = "DHE-PSK-AES128-GCM-SHA256";
TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = "DHE-PSK-AES256-GCM-SHA384";
TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = "RSA-PSK-AES128-GCM-SHA256";
TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = "RSA-PSK-AES256-GCM-SHA384";
TLS_PSK_WITH_AES_128_CBC_SHA256 = "PSK-AES128-CBC-SHA256";
TLS_PSK_WITH_AES_256_CBC_SHA384 = "PSK-AES256-CBC-SHA384";
TLS_PSK_WITH_NULL_SHA256 = "PSK-NULL-SHA256";
TLS_PSK_WITH_NULL_SHA384 = "PSK-NULL-SHA384";
TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = "DHE-PSK-AES128-CBC-SHA256";
TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = "DHE-PSK-AES256-CBC-SHA384";
TLS_DHE_PSK_WITH_NULL_SHA256 = "DHE-PSK-NULL-SHA256";
TLS_DHE_PSK_WITH_NULL_SHA384 = "DHE-PSK-NULL-SHA384";
TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = "RSA-PSK-AES128-CBC-SHA256";
TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = "RSA-PSK-AES256-CBC-SHA384";
TLS_RSA_PSK_WITH_NULL_SHA256 = "RSA-PSK-NULL-SHA256";
TLS_RSA_PSK_WITH_NULL_SHA384 = "RSA-PSK-NULL-SHA384";

TLS_ECDHE_PSK_WITH_RC4_128_SHA = "ECDHE-PSK-RC4-SHA";
TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = "ECDHE-PSK-3DES-EDE-CBC-SHA";
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = "ECDHE-PSK-AES128-CBC-SHA";
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = "ECDHE-PSK-AES256-CBC-SHA";
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = "ECDHE-PSK-AES128-CBC-SHA256";
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = "ECDHE-PSK-AES256-CBC-SHA384";
TLS_ECDHE_PSK_WITH_NULL_SHA = "ECDHE-PSK-NULL-SHA";
TLS_ECDHE_PSK_WITH_NULL_SHA256 = "ECDHE-PSK-NULL-SHA256";
TLS_ECDHE_PSK_WITH_NULL_SHA384 = "ECDHE-PSK-NULL-SHA384";

TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 = "PSK-CAMELLIA128-SHA256";
TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 = "PSK-CAMELLIA256-SHA384";

TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = "DHE-PSK-CAMELLIA128-SHA256";
TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = "DHE-PSK-CAMELLIA256-SHA384";

TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 = "RSA-PSK-CAMELLIA128-SHA256";
TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 = "RSA-PSK-CAMELLIA256-SHA384";

TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = "ECDHE-PSK-CAMELLIA128-SHA256";
TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = "ECDHE-PSK-CAMELLIA256-SHA384";

TLS_PSK_WITH_AES_128_CCM = "PSK-AES128-CCM";
TLS_PSK_WITH_AES_256_CCM = "PSK-AES256-CCM";
TLS_DHE_PSK_WITH_AES_128_CCM = "DHE-PSK-AES128-CCM";
TLS_DHE_PSK_WITH_AES_256_CCM = "DHE-PSK-AES256-CCM";
TLS_PSK_WITH_AES_128_CCM_8 = "PSK-AES128-CCM8";
TLS_PSK_WITH_AES_256_CCM_8 = "PSK-AES256-CCM8";
TLS_DHE_PSK_WITH_AES_128_CCM_8 = "DHE-PSK-AES128-CCM8";
TLS_DHE_PSK_WITH_AES_256_CCM_8 = "DHE-PSK-AES256-CCM8";


-- Export ciphers

TLS_RSA_EXPORT_WITH_RC4_40_MD5 = "EXP-RC4-MD5";
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = "EXP-RC2-CBC-MD5";
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = "EXP-DES-CBC-SHA";
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = "EXP-ADH-DES-CBC-SHA";
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = "EXP-ADH-RC4-MD5";
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = "EXP-EDH-RSA-DES-CBC-SHA";
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = "EXP-EDH-DSS-DES-CBC-SHA";
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = "EXP-DH-DSS-DES-CBC-SHA";
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = "EXP-DH-RSA-DES-CBC-SHA";


-- KRB5

TLS_KRB5_WITH_DES_CBC_SHA = "KRB5-DES-CBC-SHA";
TLS_KRB5_WITH_3DES_EDE_CBC_SHA = "KRB5-DES-CBC3-SHA";
TLS_KRB5_WITH_RC4_128_SHA = "KRB5-RC4-SHA";
TLS_KRB5_WITH_IDEA_CBC_SHA = "KRB5-IDEA-CBC-SHA";
TLS_KRB5_WITH_DES_CBC_MD5 = "KRB5-DES-CBC-MD5";
TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = "KRB5-DES-CBC3-MD5";
TLS_KRB5_WITH_RC4_128_MD5 = "KRB5-RC4-MD5";
TLS_KRB5_WITH_IDEA_CBC_MD5 = "KRB5-IDEA-CBC-MD5";
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = "EXP-KRB5-DES-CBC-SHA";
TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = "EXP-KRB5-RC2-CBC-SHA";
TLS_KRB5_EXPORT_WITH_RC4_40_SHA = "EXP-KRB5-RC4-SHA";
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = "EXP-KRB5-DES-CBC-MD5";
TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = "EXP-KRB5-RC2-CBC-MD5";
TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = "EXP-KRB5-RC4-MD5";


-- SRP5

TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = "SRP-3DES-EDE-CBC-SHA";
TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = "SRP-RSA-3DES-EDE-CBC-SHA";
TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA = "SRP-DSS-3DES-EDE-CBC-SHA";
TLS_SRP_SHA_WITH_AES_128_CBC_SHA = "SRP-AES-128-CBC-SHA";
TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = "SRP-RSA-AES-128-CBC-SHA";
TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA = "SRP-DSS-AES-128-CBC-SHA";
TLS_SRP_SHA_WITH_AES_256_CBC_SHA = "SRP-AES-256-CBC-SHA";
TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = "SRP-RSA-AES-256-CBC-SHA";
TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA = "SRP-DSS-AES-256-CBC-SHA";


-- CHACHA20+POLY1305

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = "ECDHE-RSA-CHACHA20-POLY1305";
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = "ECDHE-ECDSA-CHACHA20-POLY1305";
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = "DHE-RSA-CHACHA20-POLY1305";
TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 = "PSK-CHACHA20-POLY1305";
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = "ECDHE-PSK-CHACHA20-POLY1305";
TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = "DHE-PSK-CHACHA20-POLY1305";
TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 = "RSA-PSK-CHACHA20-POLY1305";
}

-- Banned ciphers from https://http2.github.io/http2-spec/#BadCipherSuites
local banned_ciphers = {}
for _, v in ipairs {
Expand Down Expand Up @@ -740,10 +399,7 @@ for _, v in ipairs {
"TLS_PSK_WITH_AES_128_CCM_8";
"TLS_PSK_WITH_AES_256_CCM_8";
} do
local openssl_cipher_name = spec_to_openssl[v]
if openssl_cipher_name then
banned_ciphers[openssl_cipher_name] = true
end
banned_ciphers[v] = true
end

local default_tls_options = openssl_ctx.OP_NO_COMPRESSION
Expand Down

0 comments on commit 2b834cd

Please sign in to comment.