Merge pull request #4426 from ronald-cron-arm/remove-enable-weak-ciphersuites
Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option
diff --git a/ChangeLog.d/remove-enable-weak-ciphersuites.txt b/ChangeLog.d/remove-enable-weak-ciphersuites.txt
new file mode 100644
index 0000000..97f63eb
--- /dev/null
+++ b/ChangeLog.d/remove-enable-weak-ciphersuites.txt
@@ -0,0 +1,2 @@
+Removals
+ * Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option. Fixes #4416.
diff --git a/configs/config-psa-crypto.h b/configs/config-psa-crypto.h
index 29c6d14..846900a 100644
--- a/configs/config-psa-crypto.h
+++ b/configs/config-psa-crypto.h
@@ -612,8 +612,7 @@
* Warning: Only do so when you know what you are doing. This allows for
* encryption or channels without any security!
*
- * Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable
- * the following ciphersuites:
+ * To enable the following ciphersuites:
* MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
* MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
@@ -655,20 +654,6 @@
#define MBEDTLS_CIPHER_PADDING_ZEROS
/**
- * \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES
- *
- * Enable weak ciphersuites in SSL / TLS.
- * Warning: Only do so when you know what you are doing. This allows for
- * channels with virtually no security at all!
- *
- * Uncomment this macro to enable weak ciphersuites
- *
- * \warning DES is considered a weak cipher and its use constitutes a
- * security risk. We recommend considering stronger ciphers instead.
- */
-//#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES
-
-/**
* \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
*
* MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve
diff --git a/docs/3.0-migration-guide.d/remove-enable-weak-ciphersuites.md b/docs/3.0-migration-guide.d/remove-enable-weak-ciphersuites.md
new file mode 100644
index 0000000..c3c3306
--- /dev/null
+++ b/docs/3.0-migration-guide.d/remove-enable-weak-ciphersuites.md
@@ -0,0 +1,12 @@
+Remove the configuration to enable weak ciphersuites in SSL / TLS
+-----------------------------------------------------------------
+
+This does not affect users who use the default `config.h`, as this option was
+already off by default.
+
+If you were using a weak cipher, please switch to any of the modern,
+recommended ciphersuites (based on AES-GCM, AES-CCM or ChachaPoly for example)
+and if your peer doesn't support any, encourage them to upgrade their software.
+
+If you were using a ciphersuite without encryption, you just have to
+enable MBEDTLS_CIPHER_NULL_CIPHER now.
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 466296c..fb4f5ed 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -659,8 +659,7 @@
* Warning: Only do so when you know what you are doing. This allows for
* encryption or channels without any security!
*
- * Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable
- * the following ciphersuites:
+ * To enable the following ciphersuites:
* MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
* MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
@@ -709,20 +708,6 @@
//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
/**
- * \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES
- *
- * Enable weak ciphersuites in SSL / TLS.
- * Warning: Only do so when you know what you are doing. This allows for
- * channels with virtually no security at all!
- *
- * Uncomment this macro to enable weak ciphersuites
- *
- * \warning DES is considered a weak cipher and its use constitutes a
- * security risk. We recommend considering stronger ciphers instead.
- */
-//#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES
-
-/**
* \def MBEDTLS_REMOVE_3DES_CIPHERSUITES
*
* Remove 3DES ciphersuites by default in SSL / TLS.
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 49e0784..f51f202 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -1534,7 +1534,6 @@
#endif /* MBEDTLS_AES_C */
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
-#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES)
#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
#if defined(MBEDTLS_MD5_C)
@@ -1667,8 +1666,6 @@
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
-#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
-
#if defined(MBEDTLS_ARIA_C)
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
diff --git a/library/version_features.c b/library/version_features.c
index 5d114fb..d2de895 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -300,9 +300,6 @@
#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
"MBEDTLS_CTR_DRBG_USE_128_BIT_KEY",
#endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
-#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES)
- "MBEDTLS_ENABLE_WEAK_CIPHERSUITES",
-#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
"MBEDTLS_REMOVE_3DES_CIPHERSUITES",
#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */
diff --git a/programs/test/query_config.c b/programs/test/query_config.c
index 0cd3b81..450e2fb 100644
--- a/programs/test/query_config.c
+++ b/programs/test/query_config.c
@@ -851,14 +851,6 @@
}
#endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
-#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES)
- if( strcmp( "MBEDTLS_ENABLE_WEAK_CIPHERSUITES", config ) == 0 )
- {
- MACRO_EXPANSION_TO_STR( MBEDTLS_ENABLE_WEAK_CIPHERSUITES );
- return( 0 );
- }
-#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
-
#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
if( strcmp( "MBEDTLS_REMOVE_3DES_CIPHERSUITES", config ) == 0 )
{