runner: use 3DES instead of RC4 where possible.
To ease the removal of RC4, use 3DES in cases where RC4 is not required,
but is just a placeholder for "ciphersuite that works in SSLv3."
Change-Id: Ib459173e68a662986235b556f330a7e0e02759d7
Reviewed-on: https://boringssl-review.googlesource.com/10523
Commit-Queue: Matt Braithwaite <mab@google.com>
Reviewed-by: Matt Braithwaite <mab@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index c33ca6a..54e2661 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -2204,7 +2204,7 @@
// elliptic curves, so no extensions are
// involved.
MaxVersion: VersionTLS12,
- CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
+ CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Bugs: ProtocolBugs{
SendV2ClientHello: true,
},
@@ -2226,7 +2226,7 @@
// elliptic curves, so no extensions are
// involved.
MaxVersion: VersionTLS12,
- CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
+ CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Bugs: ProtocolBugs{
SendV2ClientHello: true,
},
@@ -2527,24 +2527,24 @@
{
// Test that the null case (where no version-specific ciphers are set)
// works as expected.
- "RC4-SHA:AES128-SHA", // default ciphers
- "", // no ciphers specifically for TLS ≥ 1.0
- "", // no ciphers specifically for TLS ≥ 1.1
+ "DES-CBC3-SHA:AES128-SHA", // default ciphers
+ "", // no ciphers specifically for TLS ≥ 1.0
+ "", // no ciphers specifically for TLS ≥ 1.1
map[uint16]uint16{
- VersionSSL30: TLS_RSA_WITH_RC4_128_SHA,
- VersionTLS10: TLS_RSA_WITH_RC4_128_SHA,
- VersionTLS11: TLS_RSA_WITH_RC4_128_SHA,
- VersionTLS12: TLS_RSA_WITH_RC4_128_SHA,
+ VersionSSL30: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+ VersionTLS10: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+ VersionTLS11: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+ VersionTLS12: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
},
},
{
// With ciphers_tls10 set, TLS 1.0, 1.1 and 1.2 should get a different
// cipher.
- "RC4-SHA:AES128-SHA", // default
- "AES128-SHA", // these ciphers for TLS ≥ 1.0
- "", // no ciphers specifically for TLS ≥ 1.1
+ "DES-CBC3-SHA:AES128-SHA", // default
+ "AES128-SHA", // these ciphers for TLS ≥ 1.0
+ "", // no ciphers specifically for TLS ≥ 1.1
map[uint16]uint16{
- VersionSSL30: TLS_RSA_WITH_RC4_128_SHA,
+ VersionSSL30: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
VersionTLS10: TLS_RSA_WITH_AES_128_CBC_SHA,
VersionTLS11: TLS_RSA_WITH_AES_128_CBC_SHA,
VersionTLS12: TLS_RSA_WITH_AES_128_CBC_SHA,
@@ -2553,12 +2553,12 @@
{
// With ciphers_tls11 set, TLS 1.1 and 1.2 should get a different
// cipher.
- "RC4-SHA:AES128-SHA", // default
- "", // no ciphers specifically for TLS ≥ 1.0
- "AES128-SHA", // these ciphers for TLS ≥ 1.1
+ "DES-CBC3-SHA:AES128-SHA", // default
+ "", // no ciphers specifically for TLS ≥ 1.0
+ "AES128-SHA", // these ciphers for TLS ≥ 1.1
map[uint16]uint16{
- VersionSSL30: TLS_RSA_WITH_RC4_128_SHA,
- VersionTLS10: TLS_RSA_WITH_RC4_128_SHA,
+ VersionSSL30: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+ VersionTLS10: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
VersionTLS11: TLS_RSA_WITH_AES_128_CBC_SHA,
VersionTLS12: TLS_RSA_WITH_AES_128_CBC_SHA,
},
@@ -2566,11 +2566,11 @@
{
// With both ciphers_tls10 and ciphers_tls11 set, ciphers_tls11 should
// mask ciphers_tls10 for TLS 1.1 and 1.2.
- "RC4-SHA:AES128-SHA", // default
- "AES128-SHA", // these ciphers for TLS ≥ 1.0
- "AES256-SHA", // these ciphers for TLS ≥ 1.1
+ "DES-CBC3-SHA:AES128-SHA", // default
+ "AES128-SHA", // these ciphers for TLS ≥ 1.0
+ "AES256-SHA", // these ciphers for TLS ≥ 1.1
map[uint16]uint16{
- VersionSSL30: TLS_RSA_WITH_RC4_128_SHA,
+ VersionSSL30: TLS_RSA_WITH_3DES_EDE_CBC_SHA,
VersionTLS10: TLS_RSA_WITH_AES_128_CBC_SHA,
VersionTLS11: TLS_RSA_WITH_AES_256_CBC_SHA,
VersionTLS12: TLS_RSA_WITH_AES_256_CBC_SHA,
@@ -2594,7 +2594,7 @@
config: Config{
MaxVersion: version,
MinVersion: version,
- CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA},
+ CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA},
},
flags: flags,
expectedCipher: expectedCipherSuite,
@@ -3722,7 +3722,7 @@
// elliptic curves, so no extensions are
// involved.
MaxVersion: VersionTLS12,
- CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
+ CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Bugs: ProtocolBugs{
SendV2ClientHello: true,
},
@@ -5188,7 +5188,7 @@
renegotiate: 1,
config: Config{
MaxVersion: VersionTLS12,
- CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
+ CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
},
renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
flags: []string{
@@ -5203,7 +5203,7 @@
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
},
- renegotiateCiphers: []uint16{TLS_RSA_WITH_RC4_128_SHA},
+ renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
flags: []string{
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
@@ -6764,7 +6764,7 @@
// version are different, to detect if the
// server uses the wrong one.
MaxVersion: VersionTLS11,
- CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
+ CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Bugs: ProtocolBugs{
BadRSAClientKeyExchange: bad,
},