pike.git / lib / modules / SSL.pmod / Context.pike

version» Context lines:

pike.git/lib/modules/SSL.pmod/Context.pike:425:       // Filter short effective key lengths.    if (min_keylength > 0) {    res = filter(res,    lambda(int suite, int min_keylength) {    return min_keylength <=    CIPHER_effective_keylengths[CIPHER_SUITES[suite][1]];    }, min_keylength);    }    -  if( !blacklisted_ciphers ) +  if( !blacklisted_ciphers || (max_version >= PROTOCOL_TLS_1_3))    { -  // Block export ciphers and DES because they are demonstrably -  // broken. Block RC4 because it probably is (RFC 7465). -  blacklisted_ciphers = (< CIPHER_rc4, CIPHER_des, CIPHER_rc4_40, +  // Block export ciphers and DES by default because they are +  // demonstrably broken. +  // +  // Block RC4 because it probably is (RFC 7465). +  // +  // TLS 1.3 prohibits RC4. +  if (!blacklisted_ciphers) blacklisted_ciphers = (<>); +  blacklisted_ciphers |= (< CIPHER_rc4, CIPHER_des, CIPHER_rc4_40,    CIPHER_rc2_40, CIPHER_des40 >);    }    if( sizeof(blacklisted_ciphers) )    res = filter(res,    lambda(int suite, multiset(int) blacklisted_hashes) {    return !blacklisted_hashes[CIPHER_SUITES[suite][1]];    }, blacklisted_ciphers);      #if !constant(Crypto.SHA384)    // Filter suites needing SHA384 as our Nettle doesn't support it.