From b42a2f2bc24c13d26fc342be197f929d996bd30b Mon Sep 17 00:00:00 2001 From: Zaiming Shi Date: Tue, 5 Oct 2021 15:11:06 +0200 Subject: [PATCH] fix(ssl): delete some weak cipher suites from the default list --- apps/emqx/src/emqx_tls_lib.erl | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/apps/emqx/src/emqx_tls_lib.erl b/apps/emqx/src/emqx_tls_lib.erl index 11145f684..6a05274a6 100644 --- a/apps/emqx/src/emqx_tls_lib.erl +++ b/apps/emqx/src/emqx_tls_lib.erl @@ -90,7 +90,7 @@ do_selected_ciphers('tlsv1.3') -> do_selected_ciphers(_) -> [ "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", - "ECDHE-ECDSA-DES-CBC3-SHA", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", + "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", @@ -98,15 +98,14 @@ do_selected_ciphers(_) -> "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", - "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "AES256-SHA", "ECDHE-ECDSA-AES128-SHA", + "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", - "ECDH-RSA-AES128-SHA", "AES128-SHA", + "ECDH-RSA-AES128-SHA", %% psk "RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256","RSA-PSK-AES128-CBC-SHA256", - "RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA", - "RSA-PSK-DES-CBC3-SHA","RSA-PSK-RC4-SHA" + "RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA" ]. %% @doc Ensure version & cipher-suites integrity.