Bug 848384: Remove vestigial cipher suite policy code. r=wtc.
authorAdam Langley <agl@chromium.org>
Mon, 12 Aug 2013 11:39:36 -0700
changeset 10831 fee4f367743932d585f99f798376159a09f3e5df
parent 10830 de33c29a6bdea447e6f73a9805c720e93e5c26fc
child 10832 e698c2409762e778d10a94446d5c95f2f7bdd87a
push id137
push userwtc@google.com
push dateMon, 12 Aug 2013 18:39:43 +0000
reviewerswtc
bugs848384
Bug 848384: Remove vestigial cipher suite policy code. r=wtc.
lib/ssl/ssl.h
lib/ssl/ssl3con.c
lib/ssl/ssl3ecc.c
lib/ssl/sslcon.c
lib/ssl/sslimpl.h
lib/ssl/sslsock.c
--- a/lib/ssl/ssl.h
+++ b/lib/ssl/ssl.h
@@ -228,30 +228,33 @@ SSL_IMPORT SECStatus SSL_GetNextProto(PR
 				      unsigned int *bufLen,
 				      unsigned int bufLenMax);
 
 /*
 ** Control ciphers that SSL uses. If on is non-zero then the named cipher
 ** is enabled, otherwise it is disabled. 
 ** The "cipher" values are defined in sslproto.h (the SSL_EN_* values).
 ** EnableCipher records user preferences.
-** SetPolicy sets the policy according to the policy module.
 */
 #ifdef SSL_DEPRECATED_FUNCTION 
 /* Old deprecated function names */
 SSL_IMPORT SECStatus SSL_EnableCipher(long which, PRBool enabled);
 SSL_IMPORT SECStatus SSL_SetPolicy(long which, int policy);
 #endif
 
 /* New function names */
 SSL_IMPORT SECStatus SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 cipher, PRBool enabled);
 SSL_IMPORT SECStatus SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 cipher, PRBool *enabled);
 SSL_IMPORT SECStatus SSL_CipherPrefSetDefault(PRInt32 cipher, PRBool enabled);
 SSL_IMPORT SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled);
+
+/* Policy functions are deprecated and no longer have any effect. They exist in
+ * order to maintain ABI compatibility. */
 SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy);
+/* SSL_CipherPolicyGet sets *policy to SSL_ALLOWED and returns SECSuccess. */
 SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy);
 
 /* SSL Version Range API
 **
 ** This API should be used to control SSL 3.0 & TLS support instead of the
 ** older SSL_Option* API; however, the SSL_Option* API MUST still be used to
 ** control SSL 2.0 support. In this version of libssl, SSL 3.0 and TLS 1.0 are
 ** enabled by default. Future versions of libssl may change which versions of
@@ -315,17 +318,17 @@ SSL_IMPORT SECStatus SSL_VersionRangeSet
 SSL_IMPORT SECStatus SSL_VersionRangeGet(PRFileDesc *fd,
 					 SSLVersionRange *vrange);
 
 /* Sets the range of enabled SSL3/TLS versions for |fd| to |*vrange|. */
 SSL_IMPORT SECStatus SSL_VersionRangeSet(PRFileDesc *fd,
 					 const SSLVersionRange *vrange);
 
 
-/* Values for "policy" argument to SSL_PolicySet */
+/* Values for "policy" argument to SSL_CipherPolicySet */
 /* Values returned by SSL_CipherPolicyGet. */
 #define SSL_NOT_ALLOWED		 0	      /* or invalid or unimplemented */
 #define SSL_ALLOWED		 1
 #define SSL_RESTRICTED		 2	      /* only with "Step-Up" certs. */
 
 /* Values for "on" with SSL_REQUIRE_CERTIFICATE. */
 #define SSL_REQUIRE_NEVER           ((PRBool)0)
 #define SSL_REQUIRE_ALWAYS          ((PRBool)1)
@@ -786,36 +789,22 @@ SSL_IMPORT SECStatus SSL_GetSRTPCipher(P
 SSL_IMPORT SECStatus NSS_CmpCertChainWCANames(CERTCertificate *cert, 
                                           CERTDistNames *caNames);
 
 /* 
  * Returns key exchange type of the keys in an SSL server certificate.
  */
 SSL_IMPORT SSLKEAType NSS_FindCertKEAType(CERTCertificate * cert);
 
-/* Set cipher policies to a predefined Domestic (U.S.A.) policy.
- * This essentially enables all supported ciphers.
- */
+/*
+** The NSS_Set*Policy functions have no effect and exist in order to maintain
+** ABI compatibility. All supported ciphers are now allowed.
+*/
 SSL_IMPORT SECStatus NSS_SetDomesticPolicy(void);
-
-/* Set cipher policies to a predefined Policy that is exportable from the USA
- *   according to present U.S. policies as we understand them.
- * See documentation for the list.
- * Note that your particular application program may be able to obtain
- *   an export license with more or fewer capabilities than those allowed
- *   by this function.  In that case, you should use SSL_SetPolicy()
- *   to explicitly allow those ciphers you may legally export.
- */
 SSL_IMPORT SECStatus NSS_SetExportPolicy(void);
-
-/* Set cipher policies to a predefined Policy that is exportable from the USA
- *   according to present U.S. policies as we understand them, and that the 
- *   nation of France will permit to be imported into their country.
- * See documentation for the list.
- */
 SSL_IMPORT SECStatus NSS_SetFrancePolicy(void);
 
 SSL_IMPORT SSL3Statistics * SSL_GetStatistics(void);
 
 /* Report more information than SSL_SecurityStatus.
 ** Caller supplies the info struct.  Function fills it in.
 */
 SSL_IMPORT SECStatus SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info,
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -72,95 +72,94 @@ static SECStatus Null_Cipher(void *ctx, 
 #define MIN_SEND_BUF_LENGTH  4000
 
 /* This list of SSL3 cipher suites is sorted in descending order of
  * precedence (desirability).  It only includes cipher suites we implement.
  * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
  * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
  */
 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
-   /*      cipher_suite                         policy      enabled is_present*/
+   /*      cipher_suite                     enabled   is_present */
 #ifdef NSS_ENABLE_ECC
- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      PR_FALSE, PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 	   SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,    SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	   SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,   PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,   PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,        PR_TRUE,  PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,     PR_TRUE,  PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA,        PR_TRUE,  PR_FALSE},
 #ifdef NSS_ENABLE_ECC
- { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,       PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,     PR_FALSE, PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
- { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,  	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_RSA_WITH_AES_256_CBC_SHA,     	   SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
- { TLS_RSA_WITH_AES_256_CBC_SHA256,	   SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,       PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA,            PR_TRUE,  PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA256,         PR_TRUE,  PR_FALSE},
 
 #ifdef NSS_ENABLE_ECC
- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,       SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDHE_RSA_WITH_RC4_128_SHA,         SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   PR_FALSE, PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
- { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_DHE_DSS_WITH_RC4_128_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,    SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	   SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,   PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,   PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_RC4_128_SHA,            PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,        PR_TRUE,  PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,     PR_TRUE,  PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,        PR_TRUE,  PR_FALSE},
 #ifdef NSS_ENABLE_ECC
- { TLS_ECDH_RSA_WITH_RC4_128_SHA,          SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDH_ECDSA_WITH_RC4_128_SHA,        SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_ECDH_RSA_WITH_RC4_128_SHA,           PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,       PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_RC4_128_SHA,         PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,     PR_FALSE, PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
- { TLS_RSA_WITH_SEED_CBC_SHA,              SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 
- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,  	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { SSL_RSA_WITH_RC4_128_SHA,               SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
- { SSL_RSA_WITH_RC4_128_MD5,               SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_RSA_WITH_AES_128_CBC_SHA,     	   SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
- { TLS_RSA_WITH_AES_128_CBC_SHA256,	   SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+ { TLS_RSA_WITH_SEED_CBC_SHA,               PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,       PR_FALSE, PR_FALSE},
+ { SSL_RSA_WITH_RC4_128_SHA,                PR_TRUE,  PR_FALSE},
+ { SSL_RSA_WITH_RC4_128_MD5,                PR_TRUE,  PR_FALSE},
+ { TLS_RSA_WITH_AES_128_CBC_SHA,            PR_TRUE,  PR_FALSE},
+ { TLS_RSA_WITH_AES_128_CBC_SHA256,         PR_TRUE,  PR_FALSE},
 
 #ifdef NSS_ENABLE_ECC
- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     PR_FALSE, PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
- { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
- { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+ { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,       PR_TRUE,  PR_FALSE},
+ { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,       PR_TRUE,  PR_FALSE},
 #ifdef NSS_ENABLE_ECC
- { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,      PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,    PR_FALSE, PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
- { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
- { SSL_RSA_WITH_3DES_EDE_CBC_SHA,          SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
-
-
- { SSL_DHE_RSA_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { SSL_DHE_DSS_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { SSL_RSA_FIPS_WITH_DES_CBC_SHA,          SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
- { SSL_RSA_WITH_DES_CBC_SHA,               SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,     SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
-
- { SSL_RSA_EXPORT_WITH_RC4_40_MD5,         SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
- { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,     SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
+ { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,      PR_FALSE, PR_FALSE},
+ { SSL_RSA_WITH_3DES_EDE_CBC_SHA,           PR_TRUE,  PR_FALSE},
+
+
+ { SSL_DHE_RSA_WITH_DES_CBC_SHA,            PR_FALSE, PR_FALSE},
+ { SSL_DHE_DSS_WITH_DES_CBC_SHA,            PR_FALSE, PR_FALSE},
+ { SSL_RSA_FIPS_WITH_DES_CBC_SHA,           PR_FALSE, PR_FALSE},
+ { SSL_RSA_WITH_DES_CBC_SHA,                PR_FALSE, PR_FALSE},
+ { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,      PR_FALSE, PR_FALSE},
+ { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,     PR_FALSE, PR_FALSE},
+
+ { SSL_RSA_EXPORT_WITH_RC4_40_MD5,          PR_FALSE, PR_FALSE},
+ { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,      PR_FALSE, PR_FALSE},
 
 #ifdef NSS_ENABLE_ECC
- { TLS_ECDHE_ECDSA_WITH_NULL_SHA,          SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_NULL_SHA,            SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDH_RSA_WITH_NULL_SHA,             SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDH_ECDSA_WITH_NULL_SHA,           SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_NULL_SHA,           PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_NULL_SHA,             PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_NULL_SHA,              PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_NULL_SHA,            PR_FALSE, PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
- { SSL_RSA_WITH_NULL_SHA,                  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_RSA_WITH_NULL_SHA256,               SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { SSL_RSA_WITH_NULL_MD5,                  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
-
+ { SSL_RSA_WITH_NULL_SHA,                   PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_NULL_SHA256,                PR_FALSE, PR_FALSE},
+ { SSL_RSA_WITH_NULL_MD5,                   PR_FALSE, PR_FALSE},
 };
 
 /* This list of SSL3 compression methods is sorted in descending order of
  * precedence (desirability).  It only includes compression methods we
  * implement.
  */
 static const /*SSLCompressionMethod*/ PRUint8 compressions [] = {
 #ifdef NSS_ENABLE_ZLIB
@@ -627,23 +626,23 @@ ssl_LookupCipherSuiteCfg(ssl3CipherSuite
 	    return &suites[i];
     }
     /* return NULL and let the caller handle it.  */
     PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
     return NULL;
 }
 
 
-/* Initialize the suite->isPresent value for config_match
+/* Initialize the suite->isPresent value for cipher_suite_available.
  * Returns count of enabled ciphers supported by extant tokens,
- * regardless of policy or user preference.
+ * regardless of user preference.
  * If this returns zero, the user cannot do SSL v3.
  */
 int
-ssl3_config_match_init(sslSocket *ss)
+ssl3_cipher_suite_available_init(sslSocket *ss)
 {
     ssl3CipherSuiteCfg *      suite;
     const ssl3CipherSuiteDef *cipher_def;
     SSLCipherAlgorithm        cipher_alg;
     CK_MECHANISM_TYPE         cipher_mech;
     SSL3KEAType               exchKeyType;
     int                       i;
     int                       numPresent		= 0;
@@ -729,47 +728,35 @@ ssl3_config_match_init(sslSocket *ss)
     PORT_Assert(numPresent > 0 || numEnabled == 0);
     if (numPresent <= 0) {
 	PORT_SetError(SSL_ERROR_NO_CIPHERS_SUPPORTED);
     }
     return numPresent;
 }
 
 
-/* return PR_TRUE if suite matches policy and enabled state */
-/* It would be a REALLY BAD THING (tm) if we ever permitted the use
-** of a cipher that was NOT_ALLOWED.  So, if this is ever called with
-** policy == SSL_NOT_ALLOWED, report no match.
-*/
-/* adjust suite enabled to the availability of a token that can do the
- * cipher suite. */
+/* return PR_TRUE if the given cipher suite is enabled and present. */
 static PRBool
-config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled)
-{
-    PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE);
-    if (policy == SSL_NOT_ALLOWED || !enabled)
-    	return PR_FALSE;
-    return (PRBool)(suite->enabled &&
-                    suite->isPresent &&
-	            suite->policy != SSL_NOT_ALLOWED &&
-		    suite->policy <= policy);
-}
-
-/* return number of cipher suites that match policy and enabled state */
-/* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
+cipher_suite_available(ssl3CipherSuiteCfg *suite)
+{
+    return (PRBool)(suite->enabled && suite->isPresent);
+}
+
+/* return number of cipher suites that are enabled and present.
+ * called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
 static int
-count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
+count_cipher_suites(sslSocket *ss)
 {
     int i, count = 0;
 
     if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
-    	return 0;
+	return 0;
     }
     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
-	if (config_match(&ss->cipherSuites[i], policy, enabled))
+	if (cipher_suite_available(&ss->cipherSuites[i]))
 	    count++;
     }
     if (count <= 0) {
 	PORT_SetError(SSL_ERROR_SSL_DISABLED);
     }
     return count;
 }
 
@@ -4711,18 +4698,16 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
 
 	/* Are we attempting a stateless session resume? */
 	if (sid->version > SSL_LIBRARY_VERSION_3_0 &&
 	    sid->u.ssl3.sessionTicket.ticket.data)
 	    SSL_AtomicIncrementLong(& ssl3stats.sch_sid_stateless_resumes );
 
 	PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
 		      sid->u.ssl3.sessionIDLength));
-
-	ss->ssl3.policy = sid->u.ssl3.policy;
     } else {
 	SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses );
 
 	/*
 	 * Windows SChannel compares the client_version inside the RSA
 	 * EncryptedPreMasterSecret of a renegotiation with the
 	 * client_version of the initial ClientHello rather than the
 	 * ClientHello in the renegotiation. To work around this bug, we
@@ -4762,20 +4747,21 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
 
     /* shouldn't get here if SSL3 is disabled, but ... */
     if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
 	PR_NOT_REACHED("No versions of SSL 3.0 or later are enabled");
 	PORT_SetError(SSL_ERROR_SSL_DISABLED);
     	return SECFailure;
     }
 
-    /* how many suites does our PKCS11 support (regardless of policy)? */
-    num_suites = ssl3_config_match_init(ss);
+    /* how many suites does our PKCS11 support? */
+    num_suites = ssl3_cipher_suite_available_init(ss);
     if (!num_suites)
-    	return SECFailure;	/* ssl3_config_match_init has set error code. */
+	return SECFailure;	/* ssl3_cipher_suite_available_init has set
+				 * error code. */
 
     /* HACK for SCSV in SSL 3.0.  On initial handshake, prepend SCSV,
      * only if we're willing to complete an SSL 3.0 handshake.
      */
     if (!ss->firstHsDone && ss->vrange.min == SSL_LIBRARY_VERSION_3_0) {
 	/* Must set this before calling Hello Extension Senders, 
 	 * to suppress sending of empty RI extension.
 	 */
@@ -4803,18 +4789,18 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
     	ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
     }
 #endif
 
     if (IS_DTLS(ss)) {
 	ssl3_DisableNonDTLSSuites(ss);
     }
 
-    /* how many suites are permitted by policy and user preference? */
-    num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
+    /* how many suites are permitted by user preference? */
+    num_suites = count_cipher_suites(ss);
     if (!num_suites)
     	return SECFailure;	/* count_cipher_suites has set error code. */
     if (ss->ssl3.hs.sendingSCSV) {
 	++num_suites;   /* make room for SCSV */
     }
 
     /* count compression methods */
     numCompressionMethods = 0;
@@ -4894,17 +4880,17 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
 					sizeof(ssl3CipherSuite));
 	if (rv != SECSuccess) {
 	    return rv;	/* err set by ssl3_AppendHandshake* */
 	}
 	actual_count++;
     }
     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
 	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
-	if (config_match(suite, ss->ssl3.policy, PR_TRUE)) {
+	if (cipher_suite_available(suite)) {
 	    actual_count++;
 	    if (actual_count > num_suites) {
 		/* set error card removal/insertion error */
 		PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
 		return SECFailure;
 	    }
 	    rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite,
 					    sizeof(ssl3CipherSuite));
@@ -5925,21 +5911,21 @@ ssl3_HandleServerHello(sslSocket *ss, SS
 	goto alert_loser;	/* malformed. */
     }
 
     /* find selected cipher suite in our list. */
     temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
     if (temp < 0) {
     	goto loser; 	/* alert has been sent */
     }
-    ssl3_config_match_init(ss);
+    ssl3_cipher_suite_available_init(ss);
     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
 	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
 	if (temp == suite->cipher_suite) {
-	    if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) {
+	    if (!cipher_suite_available(suite)) {
 		break;	/* failure */
 	    }
 	    if (!ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
 						   ss->version)) {
 		desc    = handshake_failure;
 		errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION;
 		goto alert_loser;
 	    }
@@ -6931,17 +6917,16 @@ ssl3_NewSessionID(sslSocket *ss, PRBool 
     sid->urlSvrName	= (ss->url    == NULL) ? NULL : PORT_Strdup(ss->url);
     sid->addr           = ss->sec.ci.peer;
     sid->port           = ss->sec.ci.port;
     sid->references     = 1;
     sid->cached         = never_cached;
     sid->version        = ss->version;
 
     sid->u.ssl3.keys.resumable = PR_TRUE;
-    sid->u.ssl3.policy         = SSL_ALLOWED;
     sid->u.ssl3.clientWriteKey = NULL;
     sid->u.ssl3.serverWriteKey = NULL;
 
     if (is_server) {
 	SECStatus rv;
 	int       pid = SSL_GETPID();
 
 	sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES;
@@ -7312,18 +7297,18 @@ ssl3_HandleClientHello(sslSocket *ss, SS
     ssl3_FilterECCipherSuitesByServerCerts(ss);
 #endif
 
     if (IS_DTLS(ss)) {
 	ssl3_DisableNonDTLSSuites(ss);
     }
 
 #ifdef PARANOID
-    /* Look for a matching cipher suite. */
-    j = ssl3_config_match_init(ss);
+    /* Look for an available cipher suite. */
+    j = ssl3_cipher_suite_available_init(ss);
     if (j <= 0) {		/* no ciphers are working/supported by PK11 */
     	errCode = PORT_GetError();	/* error code is already set. */
 	goto alert_loser;
     }
 #endif
 
     /* If we already have a session for this client, be sure to pick the
     ** same cipher suite and compression method we picked before.
@@ -7349,22 +7334,21 @@ ssl3_HandleClientHello(sslSocket *ss, SS
 	for (j = ssl_V3_SUITES_IMPLEMENTED; j > 0; --j, ++suite) {
 	    if (suite->cipher_suite == sid->u.ssl3.cipherSuite)
 		break;
 	}
 	PORT_Assert(j > 0);
 	if (j <= 0)
 	    break;
 #ifdef PARANOID
-	/* Double check that the cached cipher suite is still enabled,
-	 * implemented, and allowed by policy.  Might have been disabled.
-	 * The product policy won't change during the process lifetime.  
+	/* Double check that the cached cipher suite is still enabled and
+	 * implemented.  Might have been disabled.
 	 * Implemented ("isPresent") shouldn't change for servers.
 	 */
-	if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
+	if (!cipher_suite_available(suite))
 	    break;
 #else
 	if (!suite->enabled)
 	    break;
 #endif
 	/* Double check that the cached cipher suite is in the client's list */
 	for (i = 0; i + 1 < suites.len; i += 2) {
 	    PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
@@ -7378,18 +7362,18 @@ ssl3_HandleClientHello(sslSocket *ss, SS
 		goto compression_found;
 	    }
 	}
     } while (0);
 
     /* START A NEW SESSION */
 
 #ifndef PARANOID
-    /* Look for a matching cipher suite. */
-    j = ssl3_config_match_init(ss);
+    /* Look for an available cipher suite. */
+    j = ssl3_cipher_suite_available_init(ss);
     if (j <= 0) {		/* no ciphers are working/supported by PK11 */
     	errCode = PORT_GetError();	/* error code is already set. */
 	goto alert_loser;
     }
 #endif
 
     /* Select a cipher suite.
     **
@@ -7402,17 +7386,17 @@ ssl3_HandleClientHello(sslSocket *ss, SS
     ** TLS 1.1 client should not have export cipher suites enabled at all,
     ** and a TLS 1.1 client should definitely not be offering *only* export
     ** cipher suites. Therefore, we refuse to negotiate export cipher suites
     ** with any client that indicates support for TLS 1.1 or higher when we
     ** (the server) have TLS 1.1 support enabled.
     */
     for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
 	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
-	if (!config_match(suite, ss->ssl3.policy, PR_TRUE) ||
+	if (!cipher_suite_available(suite) ||
 	    !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
 					       ss->version)) {
 	    continue;
 	}
 	for (i = 0; i + 1 < suites.len; i += 2) {
 	    PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
 	    if (suite_i == suite->cipher_suite) {
 		ss->ssl3.hs.cipher_suite = suite->cipher_suite;
@@ -7421,17 +7405,17 @@ ssl3_HandleClientHello(sslSocket *ss, SS
 		goto suite_found;
 	    }
 	}
     }
     errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
     goto alert_loser;
 
 suite_found:
-    /* Look for a matching compression algorithm. */
+    /* Select a compression algorithm. */
     for (i = 0; i < comps.len; i++) {
 	if (!compressionEnabled(ss, comps.data[i]))
 	    continue;
 	for (j = 0; j < compressionMethodsCount; j++) {
 	    if (comps.data[i] == compressions[j]) {
 		ss->ssl3.hs.compression = 
 					(SSLCompressionMethod)compressions[j];
 		goto compression_found;
@@ -7724,17 +7708,17 @@ compression_found:
                 rv = SECITEM_CopyItem(NULL, pwsName, name);
                 ssl_ReleaseSpecWriteLock(ss);  /***************************/
                 if (rv != SECSuccess) {
                     errCode = SSL_ERROR_INTERNAL_ERROR_ALERT;
                     desc = internal_error;
                     ret = SSL_SNI_SEND_ALERT;
                     break;
                 }
-                configedCiphers = ssl3_config_match_init(ss);
+                configedCiphers = ssl3_cipher_suite_available_init(ss);
                 if (configedCiphers <= 0) {
                     /* no ciphers are working/supported */
                     errCode = PORT_GetError();
                     desc = handshake_failure;
                     ret = SSL_SNI_SEND_ALERT;
                     break;
                 }
                 /* Need to tell the client that application has picked
@@ -7921,32 +7905,32 @@ ssl3_HandleV2ClientHello(sslSocket *ss, 
 	random, rand_length);
 
     PRINT_BUF(60, (ss, "client random:", &ss->ssl3.hs.client_random.rand[0],
 		   SSL3_RANDOM_LENGTH));
 #ifdef NSS_ENABLE_ECC
     /* Disable any ECC cipher suites for which we have no cert. */
     ssl3_FilterECCipherSuitesByServerCerts(ss);
 #endif
-    i = ssl3_config_match_init(ss);
+    i = ssl3_cipher_suite_available_init(ss);
     if (i <= 0) {
     	errCode = PORT_GetError();	/* error code is already set. */
 	goto alert_loser;
     }
 
     /* Select a cipher suite.
     **
     ** NOTE: This suite selection algorithm should be the same as the one in
     ** ssl3_HandleClientHello().
     **
     ** See the comments about export cipher suites in ssl3_HandleClientHello().
     */
     for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
 	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
-	if (!config_match(suite, ss->ssl3.policy, PR_TRUE) ||
+	if (!cipher_suite_available(suite) ||
 	    !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
 					       ss->version)) {
 	    continue;
 	}
 	for (i = 0; i+2 < suite_length; i += 3) {
 	    PRUint32 suite_i = (suites[i] << 16)|(suites[i+1] << 8)|suites[i+2];
 	    if (suite_i == suite->cipher_suite) {
 		ss->ssl3.hs.cipher_suite = suite->cipher_suite;
@@ -10026,17 +10010,16 @@ xmit_loser:
     } else {
 	effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
     }
 
     if (sid->cached == never_cached && !ss->opt.noCache && ss->sec.cache) {
 	/* fill in the sid */
 	sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite;
 	sid->u.ssl3.compression = ss->ssl3.hs.compression;
-	sid->u.ssl3.policy      = ss->ssl3.policy;
 #ifdef NSS_ENABLE_ECC
 	sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves;
 #endif
 	sid->u.ssl3.exchKeyType = effectiveExchKeyType;
 	sid->version            = ss->version;
 	sid->authAlgorithm      = ss->sec.authAlgorithm;
 	sid->authKeyBits        = ss->sec.authKeyBits;
 	sid->keaType            = ss->sec.keaType;
@@ -11104,18 +11087,16 @@ ssl3_InitCipherSpec(sslSocket *ss, ssl3C
 static SECStatus
 ssl3_InitState(sslSocket *ss)
 {
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     if (ss->ssl3.initialized)
     	return SECSuccess;	/* Function should be idempotent */
 
-    ss->ssl3.policy = SSL_ALLOWED;
-
     ssl_GetSpecWriteLock(ss);
     ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0];
     ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1];
     ss->ssl3.hs.sendingSCSV = PR_FALSE;
     ssl3_InitCipherSpec(ss, ss->ssl3.crSpec);
     ssl3_InitCipherSpec(ss, ss->ssl3.prSpec);
 
     ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
@@ -11215,50 +11196,16 @@ ssl3_CreateRSAStepDownKeys(sslSocket *ss
 	    rv = SECFailure;
 	}
     }
 #endif
     return rv;
 }
 
 
-/* record the export policy for this cipher suite */
-SECStatus
-ssl3_SetPolicy(ssl3CipherSuite which, int policy)
-{
-    ssl3CipherSuiteCfg *suite;
-
-    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
-    if (suite == NULL) {
-	return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
-    }
-    suite->policy = policy;
-
-    return SECSuccess;
-}
-
-SECStatus
-ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy)
-{
-    ssl3CipherSuiteCfg *suite;
-    PRInt32             policy;
-    SECStatus           rv;
-
-    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
-    if (suite) {
-    	policy = suite->policy;
-	rv     = SECSuccess;
-    } else {
-    	policy = SSL_NOT_ALLOWED;
-	rv     = SECFailure;	/* err code was set by Lookup. */
-    }
-    *oPolicy = policy;
-    return rv;
-}
-
 /* record the user preference for this suite */
 SECStatus
 ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled)
 {
     ssl3CipherSuiteCfg *suite;
 
     suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
     if (suite == NULL) {
@@ -11315,49 +11262,50 @@ ssl3_CipherPrefGet(sslSocket *ss, ssl3Ci
     } else {
     	pref   = SSL_NOT_ALLOWED;
 	rv     = SECFailure;	/* err code was set by Lookup. */
     }
     *enabled = pref;
     return rv;
 }
 
-/* copy global default policy into socket. */
+/* copy global default ciphersuite preferences into socket. */
 void
-ssl3_InitSocketPolicy(sslSocket *ss)
+ssl3_InitSocketCipherSuites(sslSocket *ss)
 {
     PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites);
 }
 
-/* ssl3_config_match_init must have already been called by
- * the caller of this function.
+/* ssl3_cipher_suite_available_init must have already been called by the caller
+ * of this function.
  */
 SECStatus
 ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size)
 {
     int i, count = 0;
 
     PORT_Assert(ss != 0);
     if (!ss) {
 	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
 	return SECFailure;
     }
     if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
     	*size = 0;
 	return SECSuccess;
     }
     if (cs == NULL) {
-	*size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE);
+	*size = count_cipher_suites(ss);
 	return SECSuccess;
     }
 
-    /* ssl3_config_match_init was called by the caller of this function. */
+    /* ssl3_cipher_suite_available_init was called by the caller of this
+     * function. */
     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
 	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
-	if (config_match(suite, SSL_ALLOWED, PR_TRUE)) {
+	if (cipher_suite_available(suite)) {
 	    if (cs != NULL) {
 		*cs++ = 0x00;
 		*cs++ = (suite->cipher_suite >> 8) & 0xFF;
 		*cs++ =  suite->cipher_suite       & 0xFF;
 	    }
 	    count++;
 	}
     }
--- a/lib/ssl/ssl3ecc.c
+++ b/lib/ssl/ssl3ecc.c
@@ -997,17 +997,17 @@ ssl3_FilterECCipherSuitesByServerCerts(s
 	default:
 	    ssl3_DisableECCSuites(ss, ecdh_suites);
 	    break;
 	}
     }
 }
 
 /* Ask: is ANY ECC cipher suite enabled on this socket? */
-/* Order(N^2).  Yuk.  Also, this ignores export policy. */
+/* Order(N^2).  Yuk. */
 PRBool
 ssl3_IsECCEnabled(sslSocket * ss)
 {
     const ssl3CipherSuite * suite;
     PK11SlotInfo *slot;
 
     /* make sure we can do ECC */
     slot = PK11_GetBestSlot(CKM_ECDH1_DERIVE,  ss->pkcs11PinArg);
--- a/lib/ssl/sslcon.c
+++ b/lib/ssl/sslcon.c
@@ -15,19 +15,16 @@
 #include "sslimpl.h"
 #include "sslproto.h"
 #include "ssl3prot.h"
 #include "sslerr.h"
 #include "pk11func.h"
 #include "prinit.h"
 #include "prtime.h" 	/* for PR_Now() */
 
-#define XXX
-static PRBool policyWasSet;
-
 /* This ordered list is indexed by (SSL_CK_xx * 3)   */
 /* Second and third bytes are MSB and LSB of master key length. */
 static const PRUint8 allCipherSuites[] = {
     0,						0,    0,
     SSL_CK_RC4_128_WITH_MD5,			0x00, 0x80,
     SSL_CK_RC4_128_EXPORT40_WITH_MD5,		0x00, 0x80,
     SSL_CK_RC2_128_CBC_WITH_MD5,		0x00, 0x80,
     SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,	0x00, 0x80,
@@ -110,24 +107,22 @@ const char * const ssl_cipherName[] = {
     "IDEA-CBC",
     "DES-CBC",
     "DES-EDE3-CBC",
     "unknown",
     "unknown", /* was fortezza, NO LONGER USED */
 };
 
 
-/* bit-masks, showing which SSLv2 suites are allowed.
+/* bit-mask, showing which SSLv2 suites are allowed.
  * lsb corresponds to first cipher suite in allCipherSuites[].
  */
-static PRUint16	allowedByPolicy;          /* all off by default */
-static PRUint16	maybeAllowedByPolicy;     /* all off by default */
 static PRUint16	chosenPreference = 0xff;  /* all on  by default */
 
-/* bit values for the above two bit masks */
+/* bit values for the above bit mask */
 #define SSL_CB_RC4_128_WITH_MD5              (1 << SSL_CK_RC4_128_WITH_MD5)
 #define SSL_CB_RC4_128_EXPORT40_WITH_MD5     (1 << SSL_CK_RC4_128_EXPORT40_WITH_MD5)
 #define SSL_CB_RC2_128_CBC_WITH_MD5          (1 << SSL_CK_RC2_128_CBC_WITH_MD5)
 #define SSL_CB_RC2_128_CBC_EXPORT40_WITH_MD5 (1 << SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5)
 #define SSL_CB_IDEA_128_CBC_WITH_MD5         (1 << SSL_CK_IDEA_128_CBC_WITH_MD5)
 #define SSL_CB_DES_64_CBC_WITH_MD5           (1 << SSL_CK_DES_64_CBC_WITH_MD5)
 #define SSL_CB_DES_192_EDE3_CBC_WITH_MD5     (1 << SSL_CK_DES_192_EDE3_CBC_WITH_MD5)
 #define SSL_CB_IMPLEMENTED \
@@ -152,29 +147,29 @@ ssl2_ConstructCipherSpecs(sslSocket *ss)
     int 		i;
     SECStatus 		rv;
 
     PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
 
     count = 0;
     PORT_Assert(ss != 0);
     allowed = !ss->opt.enableSSL2 ? 0 :
-    	(ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
+	(ss->chosenPreference & SSL_CB_IMPLEMENTED);
     while (allowed) {
     	if (allowed & 1) 
 	    ++count;
 	allowed >>= 1;
     }
 
-    /* Call ssl3_config_match_init() once here, 
+    /* Call ssl3_cipher_suite_available_init() once here, 
      * instead of inside ssl3_ConstructV2CipherSpecsHack(),
      * because the latter gets called twice below, 
      * and then again in ssl2_BeginClientHandshake().
      */
-    ssl3_config_match_init(ss);
+    ssl3_cipher_suite_available_init(ss);
 
     /* ask SSL3 how many cipher suites it has. */
     rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3_count);
     if (rv < 0) 
 	return rv;
     count += ssl3_count;
 
     /* Allocate memory to hold cipher specs */
@@ -188,17 +183,17 @@ ssl2_ConstructCipherSpecs(sslSocket *ss)
     if (ss->cipherSpecs != NULL) {
 	PORT_Free(ss->cipherSpecs);
     }
     ss->cipherSpecs     = cs;
     ss->sizeCipherSpecs = count * 3;
 
     /* fill in cipher specs for SSL2 cipher suites */
     allowed = !ss->opt.enableSSL2 ? 0 :
-    	(ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
+	(ss->chosenPreference & SSL_CB_IMPLEMENTED);
     for (i = 0; i < ssl2_NUM_SUITES_IMPLEMENTED * 3; i += 3) {
 	const PRUint8 * hs = implementedCipherSuites + i;
 	int             ok = allowed & (1U << hs[0]);
 	if (ok) {
 	    cs[0] = hs[0];
 	    cs[1] = hs[1];
 	    cs[2] = hs[2];
 	    cs += 3;
@@ -220,31 +215,30 @@ ssl2_ConstructCipherSpecs(sslSocket *ss)
 ** for that protocol have been disabled.  If such cases, it clears the 
 ** enable bit for the protocol.  If no protocols remain enabled, or
 ** if no cipher suites are found, it sets the error code and returns
 ** SECFailure, otherwise it returns SECSuccess.
 */
 static SECStatus
 ssl2_CheckConfigSanity(sslSocket *ss)
 {
-    unsigned int      allowed;
     int               ssl3CipherCount = 0;
     SECStatus         rv;
 
     /* count the SSL2 and SSL3 enabled ciphers.
      * if either is zero, clear the socket's enable for that protocol.
      */
     if (!ss->cipherSpecs)
     	goto disabled;
 
-    allowed = ss->allowedByPolicy & ss->chosenPreference;
-    if (! allowed)
+    if (!ss->chosenPreference)
 	ss->opt.enableSSL2 = PR_FALSE; /* not really enabled if no ciphers */
 
-    /* ssl3_config_match_init was called in ssl2_ConstructCipherSpecs(). */
+    /* ssl3_cipher_suite_available_init was called in
+     * ssl2_ConstructCipherSpecs(). */
     /* Ask how many ssl3 CipherSuites were enabled. */
     rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3CipherCount);
     if (rv != SECSuccess || ssl3CipherCount <= 0) {
 	/* SSL3/TLS not really enabled if no ciphers */
 	ss->vrange.min = SSL_LIBRARY_VERSION_NONE;
 	ss->vrange.max = SSL_LIBRARY_VERSION_NONE;
     }
 
@@ -256,77 +250,16 @@ disabled:
 	return SECFailure;
     }
     return SECSuccess;
 }
 
 /* 
  * Since this is a global (not per-socket) setting, we cannot use the
  * HandshakeLock to protect this.  Probably want a global lock.
- */
-SECStatus
-ssl2_SetPolicy(PRInt32 which, PRInt32 policy)
-{
-    PRUint32  bitMask;
-    SECStatus rv       = SECSuccess;
-
-    which &= 0x000f;
-    bitMask = 1 << which;
-
-    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
-    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
-    	return SECFailure;
-    }
-
-    if (policy == SSL_ALLOWED) {
-	allowedByPolicy 	|= bitMask;
-	maybeAllowedByPolicy 	|= bitMask;
-    } else if (policy == SSL_RESTRICTED) {
-    	allowedByPolicy 	&= ~bitMask;
-	maybeAllowedByPolicy 	|= bitMask;
-    } else {
-    	allowedByPolicy 	&= ~bitMask;
-    	maybeAllowedByPolicy 	&= ~bitMask;
-    }
-    allowedByPolicy 		&= SSL_CB_IMPLEMENTED;
-    maybeAllowedByPolicy 	&= SSL_CB_IMPLEMENTED;
-
-    policyWasSet = PR_TRUE;
-    return rv;
-}
-
-SECStatus
-ssl2_GetPolicy(PRInt32 which, PRInt32 *oPolicy)
-{
-    PRUint32     bitMask;
-    PRInt32      policy;
-
-    which &= 0x000f;
-    bitMask = 1 << which;
-
-    /* Caller assures oPolicy is not null. */
-    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
-    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
-	*oPolicy = SSL_NOT_ALLOWED;
-    	return SECFailure;
-    }
-
-    if (maybeAllowedByPolicy & bitMask) {
-    	policy = (allowedByPolicy & bitMask) ? SSL_ALLOWED : SSL_RESTRICTED;
-    } else {
-	policy = SSL_NOT_ALLOWED;
-    }
-
-    *oPolicy = policy;
-    return SECSuccess;
-}
-
-/* 
- * Since this is a global (not per-socket) setting, we cannot use the
- * HandshakeLock to protect this.  Probably want a global lock.
  * Called from SSL_CipherPrefSetDefault in sslsock.c
  * These changes have no effect on any sslSockets already created. 
  */
 SECStatus
 ssl2_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
 {
     PRUint32     bitMask;
     
@@ -405,22 +338,20 @@ ssl2_CipherPrefGet(sslSocket *ss, PRInt3
     }
 
     rv = (PRBool)((ss->chosenPreference & bitMask) != 0);
     *enabled = rv;
     return SECSuccess;
 }
 
 
-/* copy global default policy into socket. */
+/* copy global default cipher suite preferences into socket. */
 void      
-ssl2_InitSocketPolicy(sslSocket *ss)
+ssl2_InitSocketCipherSuites(sslSocket *ss)
 {
-    ss->allowedByPolicy		= allowedByPolicy;
-    ss->maybeAllowedByPolicy	= maybeAllowedByPolicy;
     ss->chosenPreference 	= chosenPreference;
 }
 
 
 /************************************************************************/
 
 /* Called from ssl2_CreateSessionCypher(), which already holds handshake lock.
  */
@@ -1551,17 +1482,17 @@ ssl2_ServerSetupSessionCypher(sslSocket 
     sslSessionID *    sid;
     sslServerCerts *  sc   = ss->serverCerts + kt_rsa;
     PRUint8       *   kbuf = 0;	/* buffer for RSA decrypted data. */
     unsigned int      ddLen;	/* length of RSA decrypted data in kbuf */
     unsigned int      keySize;
     unsigned int      dkLen;    /* decrypted key length in bytes */
     int               modulusLen;
     SECStatus         rv;
-    PRUint16          allowed;  /* cipher kinds enabled and allowed by policy */
+    PRUint16          allowed;  /* cipher kinds enabled */
     PRUint8           mkbuf[SSL_MAX_MASTER_KEY_BYTES];
 
     PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss)   );
     PORT_Assert((sc->SERVERKEY != 0));
     PORT_Assert((ss->sec.ci.sid != 0));
     sid = ss->sec.ci.sid;
 
@@ -1579,17 +1510,17 @@ ssl2_ServerSetupSessionCypher(sslSocket 
 
     default:
 	SSL_DBG(("%d: SSL[%d]: ssl2_ServerSetupSessionCypher: unknown cipher=%d",
 		 SSL_GETPID(), ss->fd, cipher));
 	PORT_SetError(SSL_ERROR_BAD_CLIENT);
 	goto loser;
     }
 
-    allowed = ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED;
+    allowed = ss->chosenPreference & SSL_CB_IMPLEMENTED;
     if (!(allowed & (1 << cipher))) {
     	/* client chose a kind we don't allow! */
 	SSL_DBG(("%d: SSL[%d]: disallowed cipher=%d",
 		 SSL_GETPID(), ss->fd, cipher));
 	PORT_SetError(SSL_ERROR_BAD_CLIENT);
 	goto loser;
     }
 
@@ -1809,18 +1740,17 @@ ssl2_ChooseSessionCypher(sslSocket *ss,
 
     if (!ss->cipherSpecs) {
 	SECStatus rv = ssl2_ConstructCipherSpecs(ss);
 	if (rv != SECSuccess || !ss->cipherSpecs) 
 	    goto loser;
     }
 
     if (!ss->preferredCipher) {
-    	unsigned int allowed = ss->allowedByPolicy & ss->chosenPreference &
-	                       SSL_CB_IMPLEMENTED;
+	unsigned int allowed = ss->chosenPreference & SSL_CB_IMPLEMENTED;
 	if (allowed) {
 	    preferred = implementedCipherSuites;
 	    for (i = ssl2_NUM_SUITES_IMPLEMENTED; i > 0; --i) {
 		if (0 != (allowed & (1U << preferred[0]))) {
 		    ss->preferredCipher = preferred;
 		    break;
 		}
 		preferred += 3;
--- a/lib/ssl/sslimpl.h
+++ b/lib/ssl/sslimpl.h
@@ -258,27 +258,25 @@ struct sslSocketOpsStr {
 */
 struct sslBufferStr {
     unsigned char *	buf;
     unsigned int 	len;
     unsigned int 	space;
 };
 
 /*
-** SSL3 cipher suite policy and preference struct.
+** SSL3 cipher suite preference struct.
 */
 typedef struct {
 #if !defined(_WIN32)
     unsigned int    cipher_suite : 16;
-    unsigned int    policy       :  8;
     unsigned int    enabled      :  1;
     unsigned int    isPresent    :  1;
 #else
     ssl3CipherSuite cipher_suite;
-    PRUint8         policy;
     unsigned char   enabled   : 1;
     unsigned char   isPresent : 1;
 #endif
 } ssl3CipherSuiteCfg;
 
 #ifdef NSS_ENABLE_ECC
 #define ssl_V3_SUITES_IMPLEMENTED 57
 #else
@@ -611,17 +609,16 @@ struct sslSessionIDStr {
 	} ssl2;
 	struct {
 	    /* values that are copied into the server's on-disk SID cache. */
 	    PRUint8               sessionIDLength;
 	    SSL3Opaque            sessionID[SSL3_SESSIONID_BYTES];
 
 	    ssl3CipherSuite       cipherSuite;
 	    SSLCompressionMethod  compression;
-	    int                   policy;
 	    ssl3SidKeys           keys;
 	    CK_MECHANISM_TYPE     masterWrapMech;
 				  /* mechanism used to wrap master secret */
             SSL3KEAType           exchKeyType;
 				  /* key type used in exchange algorithm,
 				   * and to wrap the sym wrapping key. */
 #ifdef NSS_ENABLE_ECC
 	    PRUint32              negotiatedECCurves;
@@ -891,20 +888,16 @@ struct ssl3StateStr {
     ssl3CipherSpec *     cwSpec; 	/* current write spec. */
     ssl3CipherSpec *     pwSpec; 	/* pending write spec. */
 
     CERTCertificate *    clientCertificate;  /* used by client */
     SECKEYPrivateKey *   clientPrivateKey;   /* used by client */
     CERTCertificateList *clientCertChain;    /* used by client */
     PRBool               sendEmptyCert;      /* used by client */
 
-    int                  policy;
-			/* This says what cipher suites we can do, and should 
-			 * be either SSL_ALLOWED or SSL_RESTRICTED 
-			 */
     PLArenaPool *        peerCertArena;
 			    /* These are used to keep track of the peer CA */
     void *               peerCertChain;     
 			    /* chain while we are trying to validate it.   */
     CERTDistNames *      ca_list; 
 			    /* used by server.  trusted CAs for this socket. */
     PRBool               initialized;
     SSL3HandshakeState   hs;
@@ -1190,18 +1183,16 @@ const unsigned char *  preferredCipher;
     ** with this socket. 
     */
     CERTCertDBHandle * dbHandle;
 
     PRThread *  writerThread;   /* thread holds SSL_LOCK_WRITER lock */
 
     PRUint16	shutdownHow; 	/* See ssl_SHUTDOWN defines below. */
 
-    PRUint16	allowedByPolicy;          /* copy of global policy bits. */
-    PRUint16	maybeAllowedByPolicy;     /* copy of global policy bits. */
     PRUint16	chosenPreference;         /* SSL2 cipher preferences. */
 
     sslHandshakingType handshaking;
 
     /* Gather object used for gathering data */
     sslGather        gs;				/*recvBufLock*/
 
     sslBuffer        saveBuf;				/*xmitBufLock*/
@@ -1583,23 +1574,18 @@ extern SECStatus ssl3_CipherPrefGetDefau
 extern SECStatus ssl2_CipherPrefSetDefault(PRInt32 which, PRBool enabled);
 extern SECStatus ssl2_CipherPrefGetDefault(PRInt32 which, PRBool *enabled);
 
 extern SECStatus ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool on);
 extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *on);
 extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled);
 extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled);
 
-extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy);
-extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy);
-extern SECStatus ssl2_SetPolicy(PRInt32 which, PRInt32 policy);
-extern SECStatus ssl2_GetPolicy(PRInt32 which, PRInt32 *policy);
-
-extern void      ssl2_InitSocketPolicy(sslSocket *ss);
-extern void      ssl3_InitSocketPolicy(sslSocket *ss);
+extern void      ssl2_InitSocketCipherSuites(sslSocket *ss);
+extern void      ssl3_InitSocketCipherSuites(sslSocket *ss);
 
 extern SECStatus ssl3_ConstructV2CipherSpecsHack(sslSocket *ss,
 						 unsigned char *cs, int *size);
 
 extern SECStatus ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache);
 extern SECStatus ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, 
 					     PRUint32 length);
 
@@ -1725,19 +1711,19 @@ extern PRBool ssl_GetSessionTicketKeysPK
 
 extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char* data,
 					    unsigned int length);
 
 /* Construct a new NSPR socket for the app to use */
 extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd);
 extern void ssl_FreePRSocket(PRFileDesc *fd);
 
-/* Internal config function so SSL2 can initialize the present state of 
- * various ciphers */
-extern int ssl3_config_match_init(sslSocket *);
+/* Internal config function so SSL3 can test the present state of various
+ * ciphers */
+extern int ssl3_cipher_suite_available_init(sslSocket *);
 
 
 /* Create a new ref counted key pair object from two keys. */
 extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey, 
                                       SECKEYPublicKey * pubKey);
 
 /* get a new reference (bump ref count) to an ssl3KeyPair. */
 extern ssl3KeyPair * ssl3_GetKeyPairRef(ssl3KeyPair * keyPair);
--- a/lib/ssl/sslsock.c
+++ b/lib/ssl/sslsock.c
@@ -16,98 +16,16 @@
 #include "private/pprio.h"
 #ifndef NO_PKCS11_BYPASS
 #include "blapi.h"
 #endif
 #include "nss.h"
 
 #define SET_ERROR_CODE   /* reminder */
 
-struct cipherPolicyStr {
-	int		cipher;
-	unsigned char 	export;	/* policy value for export policy */
-	unsigned char 	france;	/* policy value for france policy */
-};
-
-typedef struct cipherPolicyStr cipherPolicy;
-
-/* This table contains two preconfigured policies: Export and France.
-** It is used only by the functions NSS_SetDomesticPolicy, 
-** NSS_SetExportPolicy, and NSS_SetFrancePolicy.
-** Order of entries is not important.
-*/
-static cipherPolicy ssl_ciphers[] = {	   /*   Export           France   */
- {  SSL_EN_RC4_128_WITH_MD5,		    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_EN_RC4_128_EXPORT40_WITH_MD5,	    SSL_ALLOWED,     SSL_ALLOWED },
- {  SSL_EN_RC2_128_CBC_WITH_MD5,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,   SSL_ALLOWED,     SSL_ALLOWED },
- {  SSL_EN_DES_64_CBC_WITH_MD5,		    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_EN_DES_192_EDE3_CBC_WITH_MD5,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_RSA_WITH_RC4_128_MD5,		    SSL_RESTRICTED,  SSL_NOT_ALLOWED },
- {  SSL_RSA_WITH_RC4_128_SHA,		    SSL_RESTRICTED,  SSL_NOT_ALLOWED },
- {  SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_RSA_WITH_3DES_EDE_CBC_SHA,	    SSL_RESTRICTED,  SSL_NOT_ALLOWED },
- {  SSL_RSA_FIPS_WITH_DES_CBC_SHA,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_RSA_WITH_DES_CBC_SHA,		    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_RSA_EXPORT_WITH_RC4_40_MD5,	    SSL_ALLOWED,     SSL_ALLOWED },
- {  SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,	    SSL_ALLOWED,     SSL_ALLOWED },
- {  SSL_DHE_RSA_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_DHE_DSS_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_DHE_DSS_WITH_RC4_128_SHA,           SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_RSA_WITH_NULL_MD5,		    SSL_ALLOWED,     SSL_ALLOWED },
- {  SSL_RSA_WITH_NULL_SHA,		    SSL_ALLOWED,     SSL_ALLOWED },
- {  TLS_RSA_WITH_NULL_SHA256,		    SSL_ALLOWED,     SSL_ALLOWED },
- {  TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_RSA_WITH_AES_128_CBC_SHA,     	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_RSA_WITH_AES_128_CBC_SHA256,        SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_DHE_RSA_WITH_AES_256_CBC_SHA,       SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_RSA_WITH_AES_256_CBC_SHA,     	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_RSA_WITH_AES_256_CBC_SHA256,        SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,  SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,  SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, 	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, 	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_RSA_WITH_SEED_CBC_SHA,		    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,    SSL_ALLOWED,     SSL_NOT_ALLOWED },
- {  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,     SSL_ALLOWED,     SSL_NOT_ALLOWED },
-#ifdef NSS_ENABLE_ECC
- {  TLS_ECDH_ECDSA_WITH_NULL_SHA,           SSL_ALLOWED,     SSL_ALLOWED },
- {  TLS_ECDH_ECDSA_WITH_RC4_128_SHA,        SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDHE_ECDSA_WITH_NULL_SHA,          SSL_ALLOWED,     SSL_ALLOWED },
- {  TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,       SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,  SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,   SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,   SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDH_RSA_WITH_NULL_SHA,             SSL_ALLOWED,     SSL_ALLOWED },
- {  TLS_ECDH_RSA_WITH_RC4_128_SHA,          SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDHE_RSA_WITH_NULL_SHA,            SSL_ALLOWED,     SSL_ALLOWED },
- {  TLS_ECDHE_RSA_WITH_RC4_128_SHA,         SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,     SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,  SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,     SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
-#endif /* NSS_ENABLE_ECC */
- {  0,					    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }
-};
-
 static const sslSocketOps ssl_default_ops = {	/* No SSL. */
     ssl_DefConnect,
     NULL,
     ssl_DefBind,
     ssl_DefListen,
     ssl_DefShutdown,
     ssl_DefClose,
     ssl_DefRecv,
@@ -279,19 +197,17 @@ ssl_DupSocket(sslSocket *os)
 	ss->url                = !os->url    ? NULL : PORT_Strdup(os->url);
 
 	ss->ops      = os->ops;
 	ss->rTimeout = os->rTimeout;
 	ss->wTimeout = os->wTimeout;
 	ss->cTimeout = os->cTimeout;
 	ss->dbHandle = os->dbHandle;
 
-	/* copy ssl2&3 policy & prefs, even if it's not selected (yet) */
-	ss->allowedByPolicy	= os->allowedByPolicy;
-	ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy;
+	/* copy ssl2&3 prefs, even if it's not selected (yet) */
 	ss->chosenPreference 	= os->chosenPreference;
 	PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites);
 	PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers,
 		    sizeof(PRUint16) * os->ssl3.dtlsSRTPCipherCount);
 	ss->ssl3.dtlsSRTPCipherCount = os->ssl3.dtlsSRTPCipherCount;
 
 	if (os->cipherSpecs) {
 	    ss->cipherSpecs  = (unsigned char*)PORT_Alloc(os->sizeCipherSpecs);
@@ -1158,72 +1074,33 @@ ssl_IsRemovedCipherSuite(PRInt32 suite)
     case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
     case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
     	return PR_TRUE;
     default:
     	return PR_FALSE;
     }
 }
 
-/* Part of the public NSS API.
- * Since this is a global (not per-socket) setting, we cannot use the
- * HandshakeLock to protect this.  Probably want a global lock.
- */
 SECStatus
 SSL_SetPolicy(long which, int policy)
 {
-    if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) {
-    	/* one of the two old FIPS ciphers */
-	if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) 
-	    which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
-	else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
-	    which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
-    }
-    if (ssl_IsRemovedCipherSuite(which))
-    	return SECSuccess;
-    return SSL_CipherPolicySet(which, policy);
+    return SECSuccess;
 }
 
 SECStatus
 SSL_CipherPolicySet(PRInt32 which, PRInt32 policy)
 {
-    SECStatus rv = ssl_Init();
-
-    if (rv != SECSuccess) {
-	return rv;
-    }
-
-    if (ssl_IsRemovedCipherSuite(which)) {
-    	rv = SECSuccess;
-    } else if (SSL_IS_SSL2_CIPHER(which)) {
-	rv = ssl2_SetPolicy(which, policy);
-    } else {
-	rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
-    }
-    return rv;
+    return SECSuccess;
 }
 
 SECStatus
 SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
 {
-    SECStatus rv;
-
-    if (!oPolicy) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    if (ssl_IsRemovedCipherSuite(which)) {
-	*oPolicy = SSL_NOT_ALLOWED;
-    	rv = SECSuccess;
-    } else if (SSL_IS_SSL2_CIPHER(which)) {
-	rv = ssl2_GetPolicy(which, oPolicy);
-    } else {
-	rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy);
-    }
-    return rv;
+    *oPolicy = SSL_ALLOWED;
+    return SECSuccess;
 }
 
 /* Part of the public NSS API.
  * Since this is a global (not per-socket) setting, we cannot use the
  * HandshakeLock to protect this.  Probably want a global lock.
  * These changes have no effect on any sslSockets already created. 
  */
 SECStatus
@@ -1332,37 +1209,29 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt3
 	rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled);
     }
     return rv;
 }
 
 SECStatus
 NSS_SetDomesticPolicy(void)
 {
-    SECStatus      status = SECSuccess;
-    cipherPolicy * policy;
-
-    for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
-	status = SSL_SetPolicy(policy->cipher, SSL_ALLOWED);
-	if (status != SECSuccess)
-	    break;
-    }
-    return status;
+    return SECSuccess;
 }
 
 SECStatus
 NSS_SetExportPolicy(void)
 {
-    return NSS_SetDomesticPolicy();
+    return SECSuccess;
 }
 
 SECStatus
 NSS_SetFrancePolicy(void)
 {
-    return NSS_SetDomesticPolicy();
+    return SECSuccess;
 }
 
 
 
 /* LOCKS ??? XXX */
 static PRFileDesc *
 ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant)
 {
@@ -2976,18 +2845,18 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
         ss->sniSocketConfigArg = NULL;
 	ss->getClientAuthData  = NULL;
 	ss->handleBadCert      = NULL;
 	ss->badCertArg         = NULL;
 	ss->pkcs11PinArg       = NULL;
 	ss->ephemeralECDHKeyPair = NULL;
 
 	ssl_ChooseOps(ss);
-	ssl2_InitSocketPolicy(ss);
-	ssl3_InitSocketPolicy(ss);
+	ssl2_InitSocketCipherSuites(ss);
+	ssl3_InitSocketCipherSuites(ss);
 	PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
 
 	if (makeLocks) {
 	    status = ssl_MakeLocks(ss);
 	    if (status != SECSuccess)
 		goto loser;
 	}
 	status = ssl_CreateSecurityInfo(ss);