Google Git
Sign in
webrtc / src / 7a46cc5f3d6b2bbce18124242be6807563d2e47d^! / .
commit7a46cc5f3d6b2bbce18124242be6807563d2e47d[log] [tgz]
authorDavid Benjamin <davidben@webrtc.org>Tue Aug 17 20:56:20 2021
committerWebRTC LUCI CQ <webrtc-scoped@luci-project-accounts.iam.gserviceaccount.com>Thu Aug 19 15:08:40 2021
tree1d52e04252841a034c702d214ac10828583402c7
parent8d8bc622658e0cf7533b46d363946c02e1ef5690 [diff]
Remove 3DES from WebRTC

I meant to do this with the Chromium change but forgot. UMA registers
zero uses of 3DES, so this should be safe. (Not too surprising, since
3DES had already been obsolete for just under a decade by the time
WebRTC existed.)

Bug: chromium:1203442
Change-Id: I5bddd2bd3f24beb486c8246fa5dab5836883b8c1
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/229120
Reviewed-by: Harald Alvestrand <hta@webrtc.org>
Commit-Queue: David Benjamin <davidben@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#34806}

diff --git a/rtc_base/openssl_adapter.cc b/rtc_base/openssl_adapter.cc
index 18142a0..d80b69d 100644
--- a/rtc_base/openssl_adapter.cc
+++ b/rtc_base/openssl_adapter.cc

@@ -976,9 +976,9 @@
   // Use defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers
   // (note that SHA256 and SHA384 only select legacy CBC ciphers).
   // Additionally disable HMAC-SHA1 ciphers in ECDSA. These are the remaining
-  // CBC-mode ECDSA ciphers.
+  // CBC-mode ECDSA ciphers. Finally, disable 3DES.
   SSL_CTX_set_cipher_list(
-      ctx, "ALL:!SHA256:!SHA384:!aPSK:!ECDSA+SHA1:!ADH:!LOW:!EXP:!MD5");
+      ctx, "ALL:!SHA256:!SHA384:!aPSK:!ECDSA+SHA1:!ADH:!LOW:!EXP:!MD5:!3DES");
 
   if (mode == SSL_MODE_DTLS) {
     SSL_CTX_set_read_ahead(ctx, 1);

diff --git a/rtc_base/openssl_stream_adapter.cc b/rtc_base/openssl_stream_adapter.cc
index 76da464..95408f5 100644
--- a/rtc_base/openssl_stream_adapter.cc
+++ b/rtc_base/openssl_stream_adapter.cc

@@ -1093,9 +1093,10 @@
   // Select list of available ciphers. Note that !SHA256 and !SHA384 only
   // remove HMAC-SHA256 and HMAC-SHA384 cipher suites, not GCM cipher suites
   // with SHA256 or SHA384 as the handshake hash.
-  // This matches the list of SSLClientSocketOpenSSL in Chromium.
+  // This matches the list of SSLClientSocketImpl in Chromium.
   SSL_CTX_set_cipher_list(
-      ctx, "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK");
+      ctx,
+      "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK:!3DES");
 
   if (!srtp_ciphers_.empty()) {
     if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_ciphers_.c_str())) {