Issue metadata
Sign in to add a comment
|
Remove CBC-mode ECDSA ciphers in TLS |
||||||||||||||||||||||||||||||||||||||||||||
Issue description(See http://www.chromium.org/blink#launch-process for an overview) Change description: Remove ECDHE_ECDSA_WITH_AES_128_CBC_SHA and ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS cipher suites. TLS's CBC-mode construction is flawed, making it fragile and very difficult to implement securely. Although CBC-mode ciphers are still widely used with RSA, they are virtually nonexistent with ECDSA (0.00% in UMA). Changes to API surface: - Our ClientHello will no longer advertise the above ciphers. Links: Public standards discussion: No discussion of this removal, but CBC-mode ciphers are extremely problematic and were removed in TLS 1.3: https://tlswg.github.io/tls13-spec/#rfc.appendix.A.4 The upcoming TLS registry updates document also adds a "Recommended" column which will set all CBC-mode ciphers to "No". https://tools.ietf.org/html/draft-sandj-tls-iana-registry-updates-01#section-6 Support in other browsers: Internet Explorer: still offered Firefox: still offered Safari: still offered *Make sure to fill in any labels with a -?, including all OSes this change affects. Feel free to leave other labels at the defaults.
,
Nov 16 2016
,
Nov 17 2016
,
Nov 17 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d406cdbcf3fac9986aae1f9aee48a2d902025e6e commit d406cdbcf3fac9986aae1f9aee48a2d902025e6e Author: davidben <davidben@chromium.org> Date: Thu Nov 17 08:31:05 2016 Add an escape hatch for the ECDSA CBC cipher removal. There are enough things going into Chrome 56 that this should have an feature to restore the ciphers, should things go south. BUG= 658341 Review-Url: https://codereview.chromium.org/2510633003 Cr-Commit-Position: refs/heads/master@{#432813} [modify] https://crrev.com/d406cdbcf3fac9986aae1f9aee48a2d902025e6e/net/socket/ssl_client_socket_impl.cc
,
Dec 8 2016
|
|||||||||||||||||||||||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||||||||||||||||||||||
Comment 1 by bugdroid1@chromium.org
, Oct 22 2016