Remove 3DES from Conscrypt
Bug: 357870429
Ignore-AOSP-First: Security fix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0c47caf05209b8adadb6c71689b29b6608680329)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7ffe97a8034fc98d4f91e0a24793d5f99200523f)
Merged-In: Ic61848e0455a48ea4b39cd67ef78280aa403beba
Change-Id: Ic61848e0455a48ea4b39cd67ef78280aa403beba
diff --git a/common/src/main/java/org/conscrypt/NativeCrypto.java b/common/src/main/java/org/conscrypt/NativeCrypto.java
index d017f9e..3419f6e 100644
--- a/common/src/main/java/org/conscrypt/NativeCrypto.java
+++ b/common/src/main/java/org/conscrypt/NativeCrypto.java
@@ -857,10 +857,8 @@
if (loadError == null) {
// If loadError is not null, it means the native code was not loaded, so
// get_cipher_names will throw UnsatisfiedLinkError. Populate the list of supported
- // ciphers with BoringSSL's default, and also explicitly include 3DES.
- // https://boringssl-review.googlesource.com/c/boringssl/+/59425 will remove 3DES
- // from BoringSSL's default, but Conscrypt isn't quite ready to remove it yet.
- String[] allCipherSuites = get_cipher_names("ALL:3DES");
+ // ciphers with BoringSSL's default.
+ String[] allCipherSuites = get_cipher_names("ALL");
// get_cipher_names returns an array where even indices are the standard name and odd
// indices are the OpenSSL name.
diff --git a/repackaged/common/src/main/java/com/android/org/conscrypt/NativeCrypto.java b/repackaged/common/src/main/java/com/android/org/conscrypt/NativeCrypto.java
index 6cec9aa..0a7dcb8 100644
--- a/repackaged/common/src/main/java/com/android/org/conscrypt/NativeCrypto.java
+++ b/repackaged/common/src/main/java/com/android/org/conscrypt/NativeCrypto.java
@@ -887,10 +887,8 @@
if (loadError == null) {
// If loadError is not null, it means the native code was not loaded, so
// get_cipher_names will throw UnsatisfiedLinkError. Populate the list of supported
- // ciphers with BoringSSL's default, and also explicitly include 3DES.
- // https://boringssl-review.googlesource.com/c/boringssl/+/59425 will remove 3DES
- // from BoringSSL's default, but Conscrypt isn't quite ready to remove it yet.
- String[] allCipherSuites = get_cipher_names("ALL:3DES");
+ // ciphers with BoringSSL's default.
+ String[] allCipherSuites = get_cipher_names("ALL");
// get_cipher_names returns an array where even indices are the standard name and odd
// indices are the OpenSSL name.
diff --git a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java
index 6d28950..5619fee 100644
--- a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java
+++ b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java
@@ -253,7 +253,6 @@
addOpenSsl("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA");
addOpenSsl("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA");
addOpenSsl("TLS_RSA_WITH_AES_128_CBC_SHA");
- addOpenSsl("SSL_RSA_WITH_3DES_EDE_CBC_SHA");
// TLSv1.2 cipher suites
addOpenSsl("TLS_RSA_WITH_AES_128_GCM_SHA256");
diff --git a/testing/src/main/java/org/conscrypt/java/security/StandardNames.java b/testing/src/main/java/org/conscrypt/java/security/StandardNames.java
index 4c480ec..ac2db4e 100644
--- a/testing/src/main/java/org/conscrypt/java/security/StandardNames.java
+++ b/testing/src/main/java/org/conscrypt/java/security/StandardNames.java
@@ -252,7 +252,6 @@
addOpenSsl("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA");
addOpenSsl("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA");
addOpenSsl("TLS_RSA_WITH_AES_128_CBC_SHA");
- addOpenSsl("SSL_RSA_WITH_3DES_EDE_CBC_SHA");
// TLSv1.2 cipher suites
addOpenSsl("TLS_RSA_WITH_AES_128_GCM_SHA256");
