1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* This program demonstrates the use of SSL_GetCipherSuiteInfo to avoid
* all compiled-in knowledge of SSL cipher suites.
*
* Try: ./listsuites | grep -v : | sort -b +4rn -5 +1 -2 +2 -3 +3 -4 +5r -6
*/
#include <errno.h>
#include <stdio.h>
#include "nss.h"
#include "secport.h"
#include "secutil.h"
#include "ssl.h"
int
main(int argc, char **argv)
{
const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
int i;
int errCount = 0;
SECStatus rv;
PRErrorCode err;
char *certDir = NULL;
/* load policy from $SSL_DIR/pkcs11.txt, for testing */
certDir = SECU_DefaultSSLDir();
if (certDir) {
rv = NSS_Init(certDir);
} else {
rv = NSS_NoDB_Init(NULL);
}
if (rv != SECSuccess) {
err = PR_GetError();
++errCount;
fprintf(stderr, "NSS_Init failed: %s\n", PORT_ErrorToString(err));
goto out;
}
/* apply policy */
rv = NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL, 0);
if (rv != SECSuccess) {
err = PR_GetError();
++errCount;
fprintf(stderr, "NSS_SetAlgorithmPolicy failed: %s\n",
PORT_ErrorToString(err));
goto out;
}
/* update the default cipher suites according to the policy */
rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
if (rv != SECSuccess) {
err = PR_GetError();
++errCount;
fprintf(stderr, "SSL_OptionSetDefault failed: %s\n",
PORT_ErrorToString(err));
goto out;
}
fputs("This version of libSSL supports these cipher suites:\n\n", stdout);
/* disable all the SSL3 cipher suites */
for (i = 0; i < SSL_NumImplementedCiphers; i++) {
PRUint16 suite = cipherSuites[i];
PRBool enabled;
SSLCipherSuiteInfo info;
rv = SSL_CipherPrefGetDefault(suite, &enabled);
if (rv != SECSuccess) {
err = PR_GetError();
++errCount;
fprintf(stderr,
"SSL_CipherPrefGetDefault didn't like value 0x%04x (i = %d): %s\n",
suite, i, PORT_ErrorToString(err));
continue;
}
rv = SSL_GetCipherSuiteInfo(suite, &info, (int)(sizeof info));
if (rv != SECSuccess) {
err = PR_GetError();
++errCount;
fprintf(stderr,
"SSL_GetCipherSuiteInfo didn't like value 0x%04x (i = %d): %s\n",
suite, i, PORT_ErrorToString(err));
continue;
}
fprintf(stdout,
"%s:\n" /* up to 37 spaces */
" 0x%04hx %-5s %-5s %-8s %3hd %-6s %-8s %-4s Domestic %-11s\n",
info.cipherSuiteName, info.cipherSuite,
info.keaTypeName, info.authAlgorithmName, info.symCipherName,
info.effectiveKeyBits, info.macAlgorithmName,
enabled ? "Enabled" : "Disabled",
info.isFIPS ? "FIPS" : "",
info.nonStandard ? "nonStandard" : "");
}
out:
rv = NSS_Shutdown();
if (rv != SECSuccess) {
err = PR_GetError();
++errCount;
fprintf(stderr, "NSS_Shutdown failed: %s\n", PORT_ErrorToString(err));
}
return errCount;
}
|