Adapt programs to new RC4 default
diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c
index 838321a..4cd2cc4 100644
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@@ -173,8 +173,6 @@
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
- /* RC4 is deprecated, disable it */
- ssl_set_arc4_support( &ssl, SSL_ARC4_DISABLED );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 46389ae..f0e6781 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -85,7 +85,7 @@
#define DFL_EXCHANGES 1
#define DFL_MIN_VERSION SSL_MINOR_VERSION_1
#define DFL_MAX_VERSION -1
-#define DFL_ARC4 SSL_ARC4_DISABLED
+#define DFL_ARC4 -1
#define DFL_AUTH_MODE SSL_VERIFY_REQUIRED
#define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE
#define DFL_TRUNC_HMAC -1
@@ -249,9 +249,9 @@
USAGE_ETM \
USAGE_RECSPLIT \
"\n" \
+ " arc4=%%d default: (library default)\n" \
" min_version=%%s default: \"\" (ssl3)\n" \
" max_version=%%s default: \"\" (tls1_2)\n" \
- " arc4=%%d default: 0 (disabled)\n" \
" force_version=%%s default: \"\" (none)\n" \
" options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \
"\n" \
@@ -823,6 +823,19 @@
opt.min_version < SSL_MINOR_VERSION_2 )
opt.min_version = SSL_MINOR_VERSION_2;
}
+
+ /* Enable RC4 if needed and not explicitly disabled */
+ if( ciphersuite_info->cipher == POLARSSL_CIPHER_ARC4_128 )
+ {
+ if( opt.arc4 == SSL_ARC4_DISABLED )
+ {
+ polarssl_printf("forced RC4 ciphersuite with RC4 disabled\n");
+ ret = 2;
+ goto usage;
+ }
+
+ opt.arc4 = SSL_ARC4_ENABLED;
+ }
}
#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
@@ -1130,10 +1143,10 @@
}
#endif
- /* RC4 setting is redundant if we use only one ciphersuite */
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
- else
+
+ if( opt.arc4 != DFL_ARC4 )
ssl_set_arc4_support( &ssl, opt.arc4 );
if( opt.allow_legacy != DFL_ALLOW_LEGACY )
diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c
index b58d8d2..7813d41 100644
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@@ -273,8 +273,6 @@
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_1 );
- /* RC4 is deprecated, disable it */
- ssl_set_arc4_support( &ssl, SSL_ARC4_DISABLED );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index 41e0777..2e354a7 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -610,8 +610,6 @@
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
- /* RC4 is deprecated, disable it */
- ssl_set_arc4_support( &ssl, SSL_ARC4_DISABLED );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c
index 5222435..c4a93c3 100644
--- a/programs/ssl/ssl_pthread_server.c
+++ b/programs/ssl/ssl_pthread_server.c
@@ -176,8 +176,6 @@
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
- /* RC4 is deprecated, disable it */
- ssl_set_arc4_support( &ssl, SSL_ARC4_DISABLED );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_mutexed_debug, stdout );
diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c
index 9c45e14..e38d3e2 100644
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c
@@ -204,8 +204,6 @@
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
- /* RC4 is deprecated, disable it */
- ssl_set_arc4_support( &ssl, SSL_ARC4_DISABLED );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index c935165..d513ca7 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -101,7 +101,7 @@
#define DFL_EXCHANGES 1
#define DFL_MIN_VERSION SSL_MINOR_VERSION_1
#define DFL_MAX_VERSION -1
-#define DFL_ARC4 SSL_ARC4_DISABLED
+#define DFL_ARC4 -1
#define DFL_AUTH_MODE SSL_VERIFY_OPTIONAL
#define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE
#define DFL_TRUNC_HMAC -1
@@ -315,9 +315,9 @@
USAGE_EMS \
USAGE_ETM \
"\n" \
+ " arc4=%%d default: (library default)\n" \
" min_version=%%s default: \"ssl3\"\n" \
" max_version=%%s default: \"tls1_2\"\n" \
- " arc4=%%d default: 0 (disabled)\n" \
" force_version=%%s default: \"\" (none)\n" \
" options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \
"\n" \
@@ -1193,6 +1193,19 @@
opt.min_version < SSL_MINOR_VERSION_2 )
opt.min_version = SSL_MINOR_VERSION_2;
}
+
+ /* Enable RC4 if needed and not explicitly disabled */
+ if( ciphersuite_info->cipher == POLARSSL_CIPHER_ARC4_128 )
+ {
+ if( opt.arc4 == SSL_ARC4_DISABLED )
+ {
+ polarssl_printf("forced RC4 ciphersuite with RC4 disabled\n");
+ ret = 2;
+ goto usage;
+ }
+
+ opt.arc4 = SSL_ARC4_ENABLED;
+ }
}
if( opt.version_suites != NULL )
@@ -1618,7 +1631,8 @@
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
- else
+
+ if( opt.arc4 != DFL_ARC4 )
ssl_set_arc4_support( &ssl, opt.arc4 );
if( opt.version_suites != NULL )