From 7a46cc5f3d6b2bbce18124242be6807563d2e47d Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@webrtc.org>
Date: Tue, 17 Aug 2021 16:56:20 -0400
Subject: [PATCH] Remove 3DES from WebRTC

I meant to do this with the Chromium change but forgot. UMA registers
zero uses of 3DES, so this should be safe. (Not too surprising, since
3DES had already been obsolete for just under a decade by the time
WebRTC existed.)

Bug: chromium:1203442
Change-Id: I5bddd2bd3f24beb486c8246fa5dab5836883b8c1
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/229120
Reviewed-by: Harald Alvestrand <hta@webrtc.org>
Commit-Queue: David Benjamin <davidben@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#34806}
---
 rtc_base/openssl_adapter.cc        | 4 ++--
 rtc_base/openssl_stream_adapter.cc | 5 +++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/rtc_base/openssl_adapter.cc b/rtc_base/openssl_adapter.cc
index 18142a0243..d80b69d201 100644
--- a/rtc_base/openssl_adapter.cc
+++ b/rtc_base/openssl_adapter.cc
@@ -976,9 +976,9 @@ SSL_CTX* OpenSSLAdapter::CreateContext(SSLMode mode, bool enable_cache) {
   // Use defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers
   // (note that SHA256 and SHA384 only select legacy CBC ciphers).
   // Additionally disable HMAC-SHA1 ciphers in ECDSA. These are the remaining
-  // CBC-mode ECDSA ciphers.
+  // CBC-mode ECDSA ciphers. Finally, disable 3DES.
   SSL_CTX_set_cipher_list(
-      ctx, "ALL:!SHA256:!SHA384:!aPSK:!ECDSA+SHA1:!ADH:!LOW:!EXP:!MD5");
+      ctx, "ALL:!SHA256:!SHA384:!aPSK:!ECDSA+SHA1:!ADH:!LOW:!EXP:!MD5:!3DES");
 
   if (mode == SSL_MODE_DTLS) {
     SSL_CTX_set_read_ahead(ctx, 1);
diff --git a/rtc_base/openssl_stream_adapter.cc b/rtc_base/openssl_stream_adapter.cc
index 76da464de9..95408f5945 100644
--- a/rtc_base/openssl_stream_adapter.cc
+++ b/rtc_base/openssl_stream_adapter.cc
@@ -1093,9 +1093,10 @@ SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() {
   // Select list of available ciphers. Note that !SHA256 and !SHA384 only
   // remove HMAC-SHA256 and HMAC-SHA384 cipher suites, not GCM cipher suites
   // with SHA256 or SHA384 as the handshake hash.
-  // This matches the list of SSLClientSocketOpenSSL in Chromium.
+  // This matches the list of SSLClientSocketImpl in Chromium.
   SSL_CTX_set_cipher_list(
-      ctx, "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK");
+      ctx,
+      "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK:!3DES");
 
   if (!srtp_ciphers_.empty()) {
     if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_ciphers_.c_str())) {