From 358fdea85e8bcb482c40a9dc2c7fa72db03974cd Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Thu, 23 Aug 2012 14:34:24 -0700
Subject: https://fedorahosted.org/pki/ticket/241 TPS ECC: when TPS server acts
 as an ECC SSL client to CA, TKS, or DRM, it needs to support ECC ciphers

---
 base/tps/src/httpClient/engine.cpp | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

(limited to 'base/tps')

diff --git a/base/tps/src/httpClient/engine.cpp b/base/tps/src/httpClient/engine.cpp
index 621a37244..0e0897e62 100644
--- a/base/tps/src/httpClient/engine.cpp
+++ b/base/tps/src/httpClient/engine.cpp
@@ -183,21 +183,22 @@ int ssl3Suites[] = {
 };
 
 int tlsSuites[] = {
-//    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
-//    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
-//    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
     TLS_RSA_WITH_AES_128_CBC_SHA,
     TLS_RSA_WITH_AES_256_CBC_SHA,
     TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-//    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-//    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-//    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
     TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
-    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+    0
 };
 
 void disableAllCiphersOnSocket(PRFileDesc* sock) {
@@ -539,6 +540,9 @@ void __EXPORT setDefaultAllTLSCiphers() {
             alg);
         SSL_CipherPrefSetDefault(tlsSuites[i++], PR_TRUE);
 	}
+    RA::Debug( LL_PER_PDU,
+        "setDefaultAllTLSCiphers",
+        "number of ciphers set:%d", i);
 }
  
 /**
@@ -557,7 +561,6 @@ PRFileDesc * Engine::_doConnect(PRNetAddr *addr, PRBool SSLOn,
 	PRFileDesc *tcpsock = NULL;
 	PRFileDesc *sock = NULL;
 
-    SSL_CipherPrefSetDefault(0xC005 /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */, PR_TRUE);
     setDefaultAllTLSCiphers();
 
     tcpsock = PR_OpenTCPSocket(addr->raw.family);
@@ -734,6 +737,7 @@ PSHttpResponse * HttpEngine::makeRequest( PSHttpRequest &request,
 	char *nickName = request.getCertNickName();
 
 	char *serverName = (char *)server.getAddr();
+
     sock = _doConnect( &addr, request.isSSL(), 0, 0,nickName, 0, serverName );
 
     if ( sock != NULL) {
-- 
cgit