Index: cmd/selfserv/selfserv.c |
diff --git a/cmd/selfserv/selfserv.c b/cmd/selfserv/selfserv.c |
index ca6d0eb10b15acbd5ecbe8f936dd4efc77b4f35a..4954294ab5e3eba639ae948b601503d50dba6660 100644 |
--- a/cmd/selfserv/selfserv.c |
+++ b/cmd/selfserv/selfserv.c |
@@ -100,14 +100,14 @@ const int ssl3CipherSuites[] = { |
TLS_RSA_WITH_RC4_128_MD5, /* c */ |
TLS_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ |
TLS_RSA_WITH_DES_CBC_SHA, /* e */ |
- TLS_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ |
- TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ |
+ -1, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5, * f */ |
+ -1, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, * g */ |
-1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA, * h */ |
TLS_RSA_WITH_NULL_MD5, /* i */ |
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, /* j */ |
SSL_RSA_FIPS_WITH_DES_CBC_SHA, /* k */ |
- TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, /* l */ |
- TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, /* m */ |
+ -1, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, * l */ |
+ -1, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, * m */ |
TLS_RSA_WITH_RC4_128_SHA, /* n */ |
TLS_DHE_DSS_WITH_RC4_128_SHA, /* o */ |
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, /* p */ |
@@ -173,7 +173,6 @@ PrintParameterUsage() |
"-B bypasses the PKCS11 layer for SSL encryption and MACing\n" |
"-q checks for bypassability\n" |
"-D means disable Nagle delays in TCP\n" |
-"-E means disable export ciphersuites and SSL step down key gen\n" |
"-R means disable detection of rollback from TLS to SSL3\n" |
"-a configure server for SNI.\n" |
"-k expected name negotiated on server sockets\n" |
@@ -187,7 +186,6 @@ PrintParameterUsage() |
"-s means disable SSL socket locking for performance\n" |
"-u means enable Session Ticket extension for TLS.\n" |
"-v means verbose output\n" |
-"-x means use export policy.\n" |
"-z means enable compression.\n" |
"-L seconds means log statistics every 'seconds' seconds (default=30).\n" |
"-M maxProcs tells how many processes to run in a multi-process server\n" |
@@ -304,48 +302,6 @@ disableAllSSLCiphers(void) |
} |
} |
-/* disable all the export SSL cipher suites */ |
-SECStatus |
-disableExportSSLCiphers(void) |
-{ |
- const PRUint16 *cipherSuites = SSL_ImplementedCiphers; |
- int i = SSL_NumImplementedCiphers; |
- SECStatus rv = SECSuccess; |
- SSLCipherSuiteInfo info; |
- |
- while (--i >= 0) { |
- PRUint16 suite = cipherSuites[i]; |
- SECStatus status; |
- status = SSL_GetCipherSuiteInfo(suite, &info, sizeof info); |
- if (status != SECSuccess) { |
- printf("SSL_GetCipherSuiteInfo rejected suite 0x%04x (i = %d)\n", |
- suite, i); |
- errWarn("SSL_GetCipherSuiteInfo"); |
- rv = SECFailure; |
- continue; |
- } |
- if (info.cipherSuite != suite) { |
- printf( |
-"SSL_GetCipherSuiteInfo returned wrong suite! Wanted 0x%04x, Got 0x%04x\n", |
- suite, i); |
- PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
- rv = SECFailure; |
- continue; |
- } |
- /* should check here that info.length >= offsetof isExportable */ |
- if (info.isExportable) { |
- status = SSL_CipherPolicySet(suite, SSL_NOT_ALLOWED); |
- if (status != SECSuccess) { |
- printf("SSL_CipherPolicySet rejected suite 0x%04x (i = %d)\n", |
- suite, i); |
- errWarn("SSL_CipherPolicySet"); |
- rv = SECFailure; |
- } |
- } |
- } |
- return rv; |
-} |
- |
static SECStatus |
mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, |
PRBool isServer) |
@@ -814,7 +770,6 @@ static SSLVersionRange enabledVersions; |
PRBool disableRollBack = PR_FALSE; |
PRBool NoReuse = PR_FALSE; |
PRBool hasSidCache = PR_FALSE; |
-PRBool disableStepDown = PR_FALSE; |
PRBool bypassPKCS11 = PR_FALSE; |
PRBool disableLocking = PR_FALSE; |
PRBool testbypass = PR_FALSE; |
@@ -1861,12 +1816,6 @@ server_main( |
if (rv != SECSuccess) { |
errExit("error enabling RollBack detection "); |
} |
- if (disableStepDown) { |
- rv = SSL_OptionSet(model_sock, SSL_NO_STEP_DOWN, PR_TRUE); |
- if (rv != SECSuccess) { |
- errExit("error disabling SSL StepDown "); |
- } |
- } |
if (bypassPKCS11) { |
rv = SSL_OptionSet(model_sock, SSL_BYPASS_PKCS11, PR_TRUE); |
if (rv != SECSuccess) { |
@@ -2178,7 +2127,6 @@ main(int argc, char **argv) |
SECStatus rv; |
PRStatus prStatus; |
PRBool bindOnly = PR_FALSE; |
- PRBool useExportPolicy = PR_FALSE; |
PRBool useLocalThreads = PR_FALSE; |
PLOptState *optstate; |
PLOptStatus status; |
@@ -2205,7 +2153,7 @@ main(int argc, char **argv) |
** numbers, then capital letters, then lower case, alphabetical. |
*/ |
optstate = PL_CreateOptState(argc, argv, |
- "2:A:BC:DEGH:L:M:NP:RS:T:U:V:W:Ya:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:xyz"); |
+ "2:A:BC:DGH:L:M:NP:RS:T:U:V:W:Ya:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:yz"); |
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { |
++optionsFound; |
switch(optstate->option) { |
@@ -2218,7 +2166,6 @@ main(int argc, char **argv) |
case 'C': if (optstate->value) NumSidCacheEntries = PORT_Atoi(optstate->value); break; |
case 'D': noDelay = PR_TRUE; break; |
- case 'E': disableStepDown = PR_TRUE; break; |
case 'H': configureDHE = (PORT_Atoi(optstate->value) != 0); break; |
case 'G': enableExtendedMasterSecret = PR_TRUE; break; |
@@ -2340,8 +2287,6 @@ main(int argc, char **argv) |
pwdata.data = passwd = PORT_Strdup(optstate->value); |
break; |
- case 'x': useExportPolicy = PR_TRUE; break; |
- |
case 'y': debugCache = PR_TRUE; break; |
case 'z': enableCompression = PR_TRUE; break; |
@@ -2501,24 +2446,6 @@ main(int argc, char **argv) |
exit(8); |
} |
- /* set the policy bits true for all the cipher suites. */ |
- if (useExportPolicy) { |
- NSS_SetExportPolicy(); |
- if (disableStepDown) { |
- fputs("selfserv: -x and -E options may not be used together\n", |
- stderr); |
- exit(98); |
- } |
- } else { |
- NSS_SetDomesticPolicy(); |
- if (disableStepDown) { |
- rv = disableExportSSLCiphers(); |
- if (rv != SECSuccess) { |
- errExit("error disabling export ciphersuites "); |
- } |
- } |
- } |
- |
/* all SSL3 cipher suites are enabled by default. */ |
if (cipherString) { |
char *cstringSaved = cipherString; |