mirror of
https://github.com/refraction-networking/utls.git
synced 2025-04-03 20:17:36 +03:00
Add EnableWeakCiphers(): to enable old CBC ciphers
This commit is contained in:
Sergey Frolov
parent
c66e042136
commit
871f61f85e
1 changed files with 29 additions and 1 deletions
30
u_common.go
30
u_common.go
|
|
@ -5,6 +5,8 @@
|
|||
package tls
|
||||
|
||||
import (
|
||||
"crypto/hmac"
|
||||
"crypto/sha512"
|
||||
"fmt"
|
||||
)
|
||||
|
||||
|
|
@ -25,6 +27,10 @@ const (
|
|||
OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = uint16(0xcc13)
|
||||
OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = uint16(0xcc14)
|
||||
|
||||
DISABLED_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = uint16(0xc024)
|
||||
DISABLED_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = uint16(0xc028)
|
||||
DISABLED_TLS_RSA_WITH_AES_256_CBC_SHA256 = uint16(0x003d)
|
||||
|
||||
FAKE_OLD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = uint16(0xcc15) // we can try to craft these ciphersuites
|
||||
FAKE_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = uint16(0x009e) // from existing pieces, if needed
|
||||
|
||||
|
|
@ -103,6 +109,11 @@ var (
|
|||
HelloAndroid_5_1_Browser ClientHelloID = ClientHelloID{helloAndroid, 22}
|
||||
)
|
||||
|
||||
// utlsMacSHA384 returns a SHA-384.
|
||||
func utlsMacSHA384(version uint16, key []byte) macFunction {
|
||||
return tls10MAC{hmac.New(sha512.New384, key)}
|
||||
}
|
||||
|
||||
var utlsSupportedSignatureAlgorithms []signatureAndHash
|
||||
var utlsSupportedCipherSuites []*cipherSuite
|
||||
|
||||
|
|
@ -113,5 +124,22 @@ func init() {
|
|||
{OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, 12, ecdheRSAKA,
|
||||
suiteECDHE | suiteTLS12 | suiteDefaultOff, nil, nil, aeadChaCha20Poly1305},
|
||||
{OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, 12, ecdheECDSAKA,
|
||||
suiteECDHE | suiteECDSA | suiteTLS12 | suiteDefaultOff, nil, nil, aeadChaCha20Poly1305}}...)
|
||||
suiteECDHE | suiteECDSA | suiteTLS12 | suiteDefaultOff, nil, nil, aeadChaCha20Poly1305},
|
||||
}...)
|
||||
}
|
||||
|
||||
// EnableWeakCiphers allows utls connections to continue in some cases, when weak cipher was chosen.
|
||||
// This provides better compatibility with servers on the web, but weakens security. Feel free
|
||||
// to use this option if you establish additional secure connection inside of utls connection.
|
||||
// This option does not change the shape of parrots (i.e. same ciphers will be offered either way).
|
||||
func EnableWeakCiphers() {
|
||||
utlsSupportedCipherSuites = append(cipherSuites, []*cipherSuite{
|
||||
{DISABLED_TLS_RSA_WITH_AES_256_CBC_SHA256, 32, 32, 16, rsaKA,
|
||||
suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},
|
||||
|
||||
{DISABLED_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 32, 48, 16, ecdheECDSAKA,
|
||||
suiteECDHE | suiteECDSA | suiteTLS12 | suiteDefaultOff | suiteSHA384, cipherAES, utlsMacSHA384, nil},
|
||||
{DISABLED_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 32, 48, 16, ecdheRSAKA,
|
||||
suiteECDHE | suiteTLS12 | suiteDefaultOff | suiteSHA384, cipherAES, utlsMacSHA384, nil},
|
||||
}...)
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue