From: Subodh Iyengar <subodh@fb.com>
Date: Thu, 15 Oct 2015 05:01:55 +0000 (-0700)
Subject: Ephemeral ciphers in false start list
X-Git-Tag: deprecate-dynamic-initializer~328
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=ae574fb983e56d0774a6694667dc2da8cf984ce1;p=folly.git

Ephemeral ciphers in false start list

Summary: Only include ephemeral ciphers in false start list.

Reviewed By: @​mzlee

Differential Revision: D2429447

fb-gh-sync-id: 430d287a93249ff72b9ebe7db3bc283bb0712600
---

diff --git a/folly/io/async/SSLContext.cpp b/folly/io/async/SSLContext.cpp
index 34dbc917..7426e237 100644
--- a/folly/io/async/SSLContext.cpp
+++ b/folly/io/async/SSLContext.cpp
@@ -415,46 +415,21 @@ int SSLContext::advertisedNextProtocolCallback(SSL* ssl,
 #if defined(SSL_MODE_HANDSHAKE_CUTTHROUGH) && \
   FOLLY_SSLCONTEXT_USE_TLS_FALSE_START
 SSLContext::SSLFalseStartChecker::SSLFalseStartChecker() :
-  /**
-   * The list was generated as follows:
-   * grep "_CK_" openssl-1.0.1e/ssl/s3_lib.c -A 4 |
-   * while read A && read B && read C && read D && read E && read F; do
-   * echo $A $B $C $D $E; done |
-   * grep "\(SSL_kDHr\|SSL_kDHd\|SSL_kEDH\|SSL_kECDHr\|
-   *         SSL_kECDHe\|SSL_kEECDH\)" | grep -v SSL_aNULL | grep SSL_AES |
-   * awk -F, '{ print $1"," }'
-   */
   ciphers_{
-    TLS1_CK_DH_DSS_WITH_AES_128_SHA,
-    TLS1_CK_DH_RSA_WITH_AES_128_SHA,
     TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
     TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
-    TLS1_CK_DH_DSS_WITH_AES_256_SHA,
-    TLS1_CK_DH_RSA_WITH_AES_256_SHA,
     TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
     TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
-    TLS1_CK_DH_DSS_WITH_AES_128_SHA256,
-    TLS1_CK_DH_RSA_WITH_AES_128_SHA256,
     TLS1_CK_DHE_DSS_WITH_AES_128_SHA256,
     TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
-    TLS1_CK_DH_DSS_WITH_AES_256_SHA256,
-    TLS1_CK_DH_RSA_WITH_AES_256_SHA256,
     TLS1_CK_DHE_DSS_WITH_AES_256_SHA256,
     TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
     TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
     TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
-    TLS1_CK_DH_RSA_WITH_AES_128_GCM_SHA256,
-    TLS1_CK_DH_RSA_WITH_AES_256_GCM_SHA384,
     TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256,
     TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384,
-    TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256,
-    TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384,
-    TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
-    TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-    TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA,
-    TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA,
     TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
     TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
@@ -463,15 +438,10 @@ SSLContext::SSLFalseStartChecker::SSLFalseStartChecker() :
     TLS1_CK_ECDH_ECDSA_WITH_AES_256_SHA384,
     TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
     TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
-    TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256,
-    TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384,
     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-    TLS1_CK_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
-    TLS1_CK_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
     TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
     TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-    TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256,
   } {
   length_ = sizeof(ciphers_)/sizeof(ciphers_[0]);
   width_ = sizeof(ciphers_[0]);