From f0d5000105a25441a812b9a9b64cd8c861f049a5 Mon Sep 17 00:00:00 2001
From: mbays <mbays@sdf.org>
Date: Sat, 20 Apr 2024 00:00:00 +0000
Subject: [PATCH] drop support for ciphers dropped by tls-2.0

---
 GeminiProtocol.hs | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/GeminiProtocol.hs b/GeminiProtocol.hs
index db54f5f..838a4b6 100644
--- a/GeminiProtocol.hs
+++ b/GeminiProtocol.hs
@@ -456,6 +456,8 @@ makeRequest (RequestContext (InteractionCallbacks displayInfo displayWarning _ p
     -- |those ciphers from ciphersuite_default fitting the requirements
     -- recommended by the gemini "best practices" document:
     -- require ECDHE/DHE (for PFS), and >=SHA2, and AES/CHACHA20.
+    -- Some of these were subsequently commented out once tls-2.0 dropped
+    -- support for them.
     gemini_ciphersuite :: [Cipher]
     gemini_ciphersuite =
         [        -- First the PFS + GCM + SHA2 ciphers
@@ -463,15 +465,15 @@ makeRequest (RequestContext (InteractionCallbacks displayInfo displayWarning _ p
         , cipher_ECDHE_ECDSA_CHACHA20POLY1305_SHA256
         , cipher_ECDHE_RSA_AES128GCM_SHA256, cipher_ECDHE_RSA_AES256GCM_SHA384
         , cipher_ECDHE_RSA_CHACHA20POLY1305_SHA256
-        , cipher_DHE_RSA_AES128GCM_SHA256, cipher_DHE_RSA_AES256GCM_SHA384
-        , cipher_DHE_RSA_CHACHA20POLY1305_SHA256
+        --, cipher_DHE_RSA_AES128GCM_SHA256, cipher_DHE_RSA_AES256GCM_SHA384
+        --, cipher_DHE_RSA_CHACHA20POLY1305_SHA256
         ,        -- Next the PFS + CCM + SHA2 ciphers
           cipher_ECDHE_ECDSA_AES128CCM_SHA256, cipher_ECDHE_ECDSA_AES256CCM_SHA256
-        , cipher_DHE_RSA_AES128CCM_SHA256, cipher_DHE_RSA_AES256CCM_SHA256
+        --, cipher_DHE_RSA_AES128CCM_SHA256, cipher_DHE_RSA_AES256CCM_SHA256
                  -- Next the PFS + CBC + SHA2 ciphers
-        , cipher_ECDHE_ECDSA_AES128CBC_SHA256, cipher_ECDHE_ECDSA_AES256CBC_SHA384
-        , cipher_ECDHE_RSA_AES128CBC_SHA256, cipher_ECDHE_RSA_AES256CBC_SHA384
-        , cipher_DHE_RSA_AES128_SHA256, cipher_DHE_RSA_AES256_SHA256
+        --, cipher_ECDHE_ECDSA_AES128CBC_SHA256, cipher_ECDHE_ECDSA_AES256CBC_SHA384
+        --, cipher_ECDHE_RSA_AES128CBC_SHA256, cipher_ECDHE_RSA_AES256CBC_SHA384
+        --, cipher_DHE_RSA_AES128_SHA256, cipher_DHE_RSA_AES256_SHA256
                 -- TLS13 (listed at the end but version is negotiated first)
         , cipher_TLS13_AES128GCM_SHA256
         , cipher_TLS13_AES256GCM_SHA384
-- 
2.11.4.GIT