)]}'
{
  "commit": "6e678eeb6e76171712ae00d467321b6fe196152d",
  "tree": "4a51bf5c5edc3bd26a56d35cd23b5b3a078ef598",
  "parents": [
    "71666cb87c4de0bbc34df783e571bdc936f38b0b"
  ],
  "author": {
    "name": "David Benjamin",
    "email": "davidben@google.com",
    "time": "Mon Apr 16 19:54:42 2018 -0400"
  },
  "committer": {
    "name": "Adam Langley",
    "email": "agl@google.com",
    "time": "Wed May 02 19:21:56 2018 +0000"
  },
  "message": "Remove legacy SHA-2 CBC ciphers.\n\nAll CBC ciphers in TLS are broken and insecure. TLS 1.2 introduced\nAEAD-based ciphers which avoid their many problems. It also introduced\nnew CBC ciphers based on HMAC-SHA256 and HMAC-SHA384 that share the same\nflaws as the original HMAC-SHA1 ones. These serve no purpose. Old\nclients don\u0027t support them, they have the highest overhead of all TLS\nciphers, and new clients can use AEADs anyway.\n\nRemove them from libssl. This is the smaller, more easily reverted\nportion of the removal. If it survives a week or so, we can unwind a lot\nmore code elsewhere in libcrypto. This removal will allow us to clear\nsome indirect calls from crypto/cipher_extra/tls_cbc.c, aligning with\nthe recommendations here:\n\nhttps://github.com/HACS-workshop/spectre-mitigations/blob/master/crypto_guidelines.md#2-avoid-indirect-branches-in-constant-time-code\n\nUpdate-Note: The following cipher suites are removed:\n- TLS_RSA_WITH_AES_128_CBC_SHA256\n- TLS_RSA_WITH_AES_256_CBC_SHA256\n- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256\n- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384\n- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256\n- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\n\nChange-Id: I7ade0fc1fa2464626560d156659893899aab6f77\nReviewed-on: https://boringssl-review.googlesource.com/27944\nReviewed-by: Adam Langley \u003cagl@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "ee879c8e263094eaafee19bda4191f53d5774e06",
      "old_mode": 33188,
      "old_path": "include/openssl/ssl.h",
      "new_id": "03a89fb46149a37e97ed80155e2376efc2945428",
      "new_mode": 33188,
      "new_path": "include/openssl/ssl.h"
    },
    {
      "type": "modify",
      "old_id": "20c060a4fa974b1f280f334d20d1539aa7e16311",
      "old_mode": 33188,
      "old_path": "ssl/internal.h",
      "new_id": "2550aad186c1b90a8789d30cef20c6299ecdae9a",
      "new_mode": 33188,
      "new_path": "ssl/internal.h"
    },
    {
      "type": "modify",
      "old_id": "f02fa8a88bb38f0b63ce8ffa5c8aaf72449028fb",
      "old_mode": 33188,
      "old_path": "ssl/ssl_cipher.cc",
      "new_id": "c42a420f48baa09d4686cbedd1acf08a08de6ba0",
      "new_mode": 33188,
      "new_path": "ssl/ssl_cipher.cc"
    },
    {
      "type": "modify",
      "old_id": "c7032afba07c271675811b6388d1a3526fbc1525",
      "old_mode": 33188,
      "old_path": "ssl/ssl_test.cc",
      "new_id": "4a1497c48e9c538ddd401a6b2c365da8344c2ebd",
      "new_mode": 33188,
      "new_path": "ssl/ssl_test.cc"
    },
    {
      "type": "modify",
      "old_id": "38607d2854c3b938d046420c982367e7cbafceba",
      "old_mode": 33188,
      "old_path": "ssl/test/runner/runner.go",
      "new_id": "16c039f4c07bb0d62ca5c40c6ab6e71eaeb06694",
      "new_mode": 33188,
      "new_path": "ssl/test/runner/runner.go"
    }
  ]
}