AppleTLS: Update cipher suites

Also make the suite selection more sane.

src/AppleTLSSession.cc

@@ -35,6 +35,7 @@
 
 #include "AppleTLSSession.h"
 
+#include <sstream>
 #include <vector>
 
 #include <CoreFoundation/CoreFoundation.h>
@@ -95,160 +96,215 @@ namespace {
     }
   }
 
-#define SUITE(s) { s, #s }
+#define SUITE(s, n) { n, #s }
   static struct {
     SSLCipherSuite suite;
     const char *name;
   } kSuites[] = {
-    SUITE(SSL_NULL_WITH_NULL_NULL),
-    SUITE(SSL_RSA_WITH_NULL_MD5),
-    SUITE(SSL_RSA_WITH_NULL_SHA),
-    SUITE(SSL_RSA_EXPORT_WITH_RC4_40_MD5),
-    SUITE(SSL_RSA_WITH_RC4_128_MD5),
-    SUITE(SSL_RSA_WITH_RC4_128_SHA),
-    SUITE(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5),
-    SUITE(SSL_RSA_WITH_IDEA_CBC_SHA),
-    SUITE(SSL_RSA_EXPORT_WITH_DES40_CBC_SHA),
-    SUITE(SSL_RSA_WITH_DES_CBC_SHA),
-    SUITE(SSL_RSA_WITH_3DES_EDE_CBC_SHA),
-    SUITE(SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA),
-    SUITE(SSL_DH_DSS_WITH_DES_CBC_SHA),
-    SUITE(SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA),
-    SUITE(SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA),
-    SUITE(SSL_DH_RSA_WITH_DES_CBC_SHA),
-    SUITE(SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA),
-    SUITE(SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA),
-    SUITE(SSL_DHE_DSS_WITH_DES_CBC_SHA),
-    SUITE(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA),
-    SUITE(SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA),
-    SUITE(SSL_DHE_RSA_WITH_DES_CBC_SHA),
-    SUITE(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA),
-    SUITE(SSL_DH_anon_EXPORT_WITH_RC4_40_MD5),
-    SUITE(SSL_DH_anon_WITH_RC4_128_MD5),
-    SUITE(SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA),
-    SUITE(SSL_DH_anon_WITH_DES_CBC_SHA),
-    SUITE(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA),
-    SUITE(SSL_FORTEZZA_DMS_WITH_NULL_SHA),
-    SUITE(SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA),
-    SUITE(TLS_RSA_WITH_AES_128_CBC_SHA),
-    SUITE(TLS_DH_DSS_WITH_AES_128_CBC_SHA),
-    SUITE(TLS_DH_RSA_WITH_AES_128_CBC_SHA),
-    SUITE(TLS_DHE_DSS_WITH_AES_128_CBC_SHA),
-    SUITE(TLS_DHE_RSA_WITH_AES_128_CBC_SHA),
-    SUITE(TLS_DH_anon_WITH_AES_128_CBC_SHA),
-    SUITE(TLS_RSA_WITH_AES_256_CBC_SHA),
-    SUITE(TLS_DH_DSS_WITH_AES_256_CBC_SHA),
-    SUITE(TLS_DH_RSA_WITH_AES_256_CBC_SHA),
-    SUITE(TLS_DHE_DSS_WITH_AES_256_CBC_SHA),
-    SUITE(TLS_DHE_RSA_WITH_AES_256_CBC_SHA),
-    SUITE(TLS_DH_anon_WITH_AES_256_CBC_SHA),
-    SUITE(TLS_ECDH_ECDSA_WITH_NULL_SHA),
-    SUITE(TLS_ECDH_ECDSA_WITH_RC4_128_SHA),
-    SUITE(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA),
-    SUITE(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA),
-    SUITE(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA),
-    SUITE(TLS_ECDHE_ECDSA_WITH_NULL_SHA),
-    SUITE(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA),
-    SUITE(TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA),
-    SUITE(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA),
-    SUITE(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA),
-    SUITE(TLS_ECDH_RSA_WITH_NULL_SHA),
-    SUITE(TLS_ECDH_RSA_WITH_RC4_128_SHA),
-    SUITE(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA),
-    SUITE(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA),
-    SUITE(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA),
-    SUITE(TLS_ECDHE_RSA_WITH_NULL_SHA),
-    SUITE(TLS_ECDHE_RSA_WITH_RC4_128_SHA),
-    SUITE(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA),
-    SUITE(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA),
-    SUITE(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA),
-    SUITE(TLS_ECDH_anon_WITH_NULL_SHA),
-    SUITE(TLS_ECDH_anon_WITH_RC4_128_SHA),
-    SUITE(SSL_RSA_WITH_RC2_CBC_MD5),
-    SUITE(SSL_RSA_WITH_IDEA_CBC_MD5),
-    SUITE(SSL_RSA_WITH_DES_CBC_MD5),
-    SUITE(SSL_RSA_WITH_3DES_EDE_CBC_MD5),
-
-#if defined(__MAC_10_8)
-    SUITE(TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA),
-    SUITE(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256),
-    SUITE(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256),
-    SUITE(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256),
-    SUITE(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384),
-    SUITE(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA),
-    SUITE(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256),
-    SUITE(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256),
-    SUITE(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256),
-    SUITE(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384),
-    SUITE(TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA),
-    SUITE(TLS_DH_DSS_WITH_AES_128_CBC_SHA256),
-    SUITE(TLS_DH_DSS_WITH_AES_128_GCM_SHA256),
-    SUITE(TLS_DH_DSS_WITH_AES_256_CBC_SHA256),
-    SUITE(TLS_DH_DSS_WITH_AES_256_GCM_SHA384),
-    SUITE(TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA),
-    SUITE(TLS_DH_RSA_WITH_AES_128_CBC_SHA256),
-    SUITE(TLS_DH_RSA_WITH_AES_128_GCM_SHA256),
-    SUITE(TLS_DH_RSA_WITH_AES_256_CBC_SHA256),
-    SUITE(TLS_DH_RSA_WITH_AES_256_GCM_SHA384),
-    SUITE(TLS_DH_anon_WITH_3DES_EDE_CBC_SHA),
-    SUITE(TLS_DH_anon_WITH_AES_128_CBC_SHA256),
-    SUITE(TLS_DH_anon_WITH_AES_128_GCM_SHA256),
-    SUITE(TLS_DH_anon_WITH_AES_256_CBC_SHA256),
-    SUITE(TLS_DH_anon_WITH_AES_256_GCM_SHA384),
-    SUITE(TLS_DH_anon_WITH_RC4_128_MD5),
-    SUITE(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256),
-    SUITE(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
-    SUITE(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384),
-    SUITE(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384),
-    SUITE(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256),
-    SUITE(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256),
-    SUITE(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384),
-    SUITE(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384),
-    SUITE(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256),
-    SUITE(TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256),
-    SUITE(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384),
-    SUITE(TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384),
-    SUITE(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256),
-    SUITE(TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256),
-    SUITE(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384),
-    SUITE(TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384),
-    SUITE(TLS_EMPTY_RENEGOTIATION_INFO_SCSV),
-    SUITE(TLS_NULL_WITH_NULL_NULL),
-    SUITE(TLS_RSA_WITH_3DES_EDE_CBC_SHA),
-    SUITE(TLS_RSA_WITH_AES_128_CBC_SHA256),
-    SUITE(TLS_RSA_WITH_AES_128_GCM_SHA256),
-    SUITE(TLS_RSA_WITH_AES_256_CBC_SHA256),
-    SUITE(TLS_RSA_WITH_AES_256_GCM_SHA384),
-    SUITE(TLS_RSA_WITH_NULL_MD5),
-    SUITE(TLS_RSA_WITH_NULL_SHA),
-    SUITE(TLS_RSA_WITH_NULL_SHA256),
-    SUITE(TLS_RSA_WITH_RC4_128_MD5),
-    SUITE(TLS_RSA_WITH_RC4_128_SHA),
-#endif
-
-    SUITE(SSL_NO_SUCH_CIPHERSUITE)
+    // From CipherSuite.h (10.9)
+    SUITE(SSL_NULL_WITH_NULL_NULL, 0x0000),
+    SUITE(SSL_RSA_WITH_NULL_MD5, 0x0001),
+    SUITE(SSL_RSA_WITH_NULL_SHA, 0x0002),
+    SUITE(SSL_RSA_EXPORT_WITH_RC4_40_MD5, 0x0003),
+    SUITE(SSL_RSA_WITH_RC4_128_MD5, 0x0004),
+    SUITE(SSL_RSA_WITH_RC4_128_SHA, 0x0005),
+    SUITE(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 0x0006),
+    SUITE(SSL_RSA_WITH_IDEA_CBC_SHA, 0x0007),
+    SUITE(SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, 0x0008),
+    SUITE(SSL_RSA_WITH_DES_CBC_SHA, 0x0009),
+    SUITE(SSL_RSA_WITH_3DES_EDE_CBC_SHA, 0x000A),
+    SUITE(SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, 0x000B),
+    SUITE(SSL_DH_DSS_WITH_DES_CBC_SHA, 0x000C),
+    SUITE(SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA, 0x000D),
+    SUITE(SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, 0x000E),
+    SUITE(SSL_DH_RSA_WITH_DES_CBC_SHA, 0x000F),
+    SUITE(SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA, 0x0010),
+    SUITE(SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, 0x0011),
+    SUITE(SSL_DHE_DSS_WITH_DES_CBC_SHA, 0x0012),
+    SUITE(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 0x0013),
+    SUITE(SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, 0x0014),
+    SUITE(SSL_DHE_RSA_WITH_DES_CBC_SHA, 0x0015),
+    SUITE(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 0x0016),
+    SUITE(SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, 0x0017),
+    SUITE(SSL_DH_anon_WITH_RC4_128_MD5, 0x0018),
+    SUITE(SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, 0x0019),
+    SUITE(SSL_DH_anon_WITH_DES_CBC_SHA, 0x001A),
+    SUITE(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, 0x001B),
+    SUITE(SSL_FORTEZZA_DMS_WITH_NULL_SHA, 0x001C),
+    SUITE(SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 0x001D),
+
+    SUITE(TLS_RSA_WITH_AES_128_CBC_SHA, 0x002F),
+    SUITE(TLS_DH_DSS_WITH_AES_128_CBC_SHA, 0x0030),
+    SUITE(TLS_DH_RSA_WITH_AES_128_CBC_SHA, 0x0031),
+    SUITE(TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 0x0032),
+    SUITE(TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 0x0033),
+    SUITE(TLS_DH_anon_WITH_AES_128_CBC_SHA, 0x0034),
+    SUITE(TLS_RSA_WITH_AES_256_CBC_SHA, 0x0035),
+    SUITE(TLS_DH_DSS_WITH_AES_256_CBC_SHA, 0x0036),
+    SUITE(TLS_DH_RSA_WITH_AES_256_CBC_SHA, 0x0037),
+    SUITE(TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 0x0038),
+    SUITE(TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 0x0039),
+    SUITE(TLS_DH_anon_WITH_AES_256_CBC_SHA, 0x003A),
+
+    SUITE(TLS_ECDH_ECDSA_WITH_NULL_SHA, 0xC001),
+    SUITE(TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 0xC002),
+    SUITE(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 0xC003),
+    SUITE(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 0xC004),
+    SUITE(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 0xC005),
+    SUITE(TLS_ECDHE_ECDSA_WITH_NULL_SHA, 0xC006),
+    SUITE(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 0xC007),
+    SUITE(TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 0xC008),
+    SUITE(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 0xC009),
+    SUITE(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 0xC00A),
+    SUITE(TLS_ECDH_RSA_WITH_NULL_SHA, 0xC00B),
+    SUITE(TLS_ECDH_RSA_WITH_RC4_128_SHA, 0xC00C),
+    SUITE(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 0xC00D),
+    SUITE(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 0xC00E),
+    SUITE(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, 0xC00F),
+    SUITE(TLS_ECDHE_RSA_WITH_NULL_SHA, 0xC010),
+    SUITE(TLS_ECDHE_RSA_WITH_RC4_128_SHA, 0xC011),
+    SUITE(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 0xC012),
+    SUITE(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0xC013),
+    SUITE(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0xC014),
+    SUITE(TLS_ECDH_anon_WITH_NULL_SHA, 0xC015),
+    SUITE(TLS_ECDH_anon_WITH_RC4_128_SHA, 0xC016),
+    SUITE(TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, 0xC017),
+    SUITE(TLS_ECDH_anon_WITH_AES_128_CBC_SHA, 0xC018),
+    SUITE(TLS_ECDH_anon_WITH_AES_256_CBC_SHA, 0xC019),
+
+    SUITE(TLS_NULL_WITH_NULL_NULL, 0x0000),
+
+    SUITE(TLS_RSA_WITH_NULL_MD5, 0x0001),
+    SUITE(TLS_RSA_WITH_NULL_SHA, 0x0002),
+    SUITE(TLS_RSA_WITH_RC4_128_MD5, 0x0004),
+    SUITE(TLS_RSA_WITH_RC4_128_SHA, 0x0005),
+    SUITE(TLS_RSA_WITH_3DES_EDE_CBC_SHA, 0x000A),
+    SUITE(TLS_RSA_WITH_NULL_SHA256, 0x003B),
+    SUITE(TLS_RSA_WITH_AES_128_CBC_SHA256, 0x003C),
+    SUITE(TLS_RSA_WITH_AES_256_CBC_SHA256, 0x003D),
+
+    SUITE(TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA, 0x000D),
+    SUITE(TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA, 0x0010),
+    SUITE(TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 0x0013),
+    SUITE(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 0x0016),
+    SUITE(TLS_DH_DSS_WITH_AES_128_CBC_SHA256, 0x003E),
+    SUITE(TLS_DH_RSA_WITH_AES_128_CBC_SHA256, 0x003F),
+    SUITE(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, 0x0040),
+    SUITE(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 0x0067),
+    SUITE(TLS_DH_DSS_WITH_AES_256_CBC_SHA256, 0x0068),
+    SUITE(TLS_DH_RSA_WITH_AES_256_CBC_SHA256, 0x0069),
+    SUITE(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, 0x006A),
+    SUITE(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, 0x006B),
+
+    SUITE(TLS_DH_anon_WITH_RC4_128_MD5, 0x0018),
+    SUITE(TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, 0x001B),
+    SUITE(TLS_DH_anon_WITH_AES_128_CBC_SHA256, 0x006C),
+    SUITE(TLS_DH_anon_WITH_AES_256_CBC_SHA256, 0x006D),
+
+    SUITE(TLS_PSK_WITH_RC4_128_SHA, 0x008A),
+    SUITE(TLS_PSK_WITH_3DES_EDE_CBC_SHA, 0x008B),
+    SUITE(TLS_PSK_WITH_AES_128_CBC_SHA, 0x008C),
+    SUITE(TLS_PSK_WITH_AES_256_CBC_SHA, 0x008D),
+    SUITE(TLS_DHE_PSK_WITH_RC4_128_SHA, 0x008E),
+    SUITE(TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, 0x008F),
+    SUITE(TLS_DHE_PSK_WITH_AES_128_CBC_SHA, 0x0090),
+    SUITE(TLS_DHE_PSK_WITH_AES_256_CBC_SHA, 0x0091),
+    SUITE(TLS_RSA_PSK_WITH_RC4_128_SHA, 0x0092),
+    SUITE(TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, 0x0093),
+    SUITE(TLS_RSA_PSK_WITH_AES_128_CBC_SHA, 0x0094),
+    SUITE(TLS_RSA_PSK_WITH_AES_256_CBC_SHA, 0x0095),
+
+    SUITE(TLS_PSK_WITH_NULL_SHA, 0x002C),
+    SUITE(TLS_DHE_PSK_WITH_NULL_SHA, 0x002D),
+    SUITE(TLS_RSA_PSK_WITH_NULL_SHA, 0x002E),
+
+    SUITE(TLS_RSA_WITH_AES_128_GCM_SHA256, 0x009C),
+    SUITE(TLS_RSA_WITH_AES_256_GCM_SHA384, 0x009D),
+    SUITE(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 0x009E),
+    SUITE(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 0x009F),
+    SUITE(TLS_DH_RSA_WITH_AES_128_GCM_SHA256, 0x00A0),
+    SUITE(TLS_DH_RSA_WITH_AES_256_GCM_SHA384, 0x00A1),
+    SUITE(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, 0x00A2),
+    SUITE(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, 0x00A3),
+    SUITE(TLS_DH_DSS_WITH_AES_128_GCM_SHA256, 0x00A4),
+    SUITE(TLS_DH_DSS_WITH_AES_256_GCM_SHA384, 0x00A5),
+    SUITE(TLS_DH_anon_WITH_AES_128_GCM_SHA256, 0x00A6),
+    SUITE(TLS_DH_anon_WITH_AES_256_GCM_SHA384, 0x00A7),
+
+    SUITE(TLS_PSK_WITH_AES_128_GCM_SHA256, 0x00A8),
+    SUITE(TLS_PSK_WITH_AES_256_GCM_SHA384, 0x00A9),
+    SUITE(TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, 0x00AA),
+    SUITE(TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, 0x00AB),
+    SUITE(TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, 0x00AC),
+    SUITE(TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, 0x00AD),
+
+    SUITE(TLS_PSK_WITH_AES_128_CBC_SHA256, 0x00AE),
+    SUITE(TLS_PSK_WITH_AES_256_CBC_SHA384, 0x00AF),
+    SUITE(TLS_PSK_WITH_NULL_SHA256, 0x00B0),
+    SUITE(TLS_PSK_WITH_NULL_SHA384, 0x00B1),
+
+    SUITE(TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, 0x00B2),
+    SUITE(TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, 0x00B3),
+    SUITE(TLS_DHE_PSK_WITH_NULL_SHA256, 0x00B4),
+    SUITE(TLS_DHE_PSK_WITH_NULL_SHA384, 0x00B5),
+
+    SUITE(TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, 0x00B6),
+    SUITE(TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, 0x00B7),
+    SUITE(TLS_RSA_PSK_WITH_NULL_SHA256, 0x00B8),
+    SUITE(TLS_RSA_PSK_WITH_NULL_SHA384, 0x00B9),
+
+    SUITE(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 0xC023),
+    SUITE(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 0xC024),
+    SUITE(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, 0xC025),
+    SUITE(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, 0xC026),
+    SUITE(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 0xC027),
+    SUITE(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 0xC028),
+    SUITE(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, 0xC029),
+    SUITE(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, 0xC02A),
+
+    SUITE(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0xC02B),
+    SUITE(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 0xC02C),
+    SUITE(TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, 0xC02D),
+    SUITE(TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, 0xC02E),
+    SUITE(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0xC02F),
+    SUITE(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0xC030),
+    SUITE(TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, 0xC031),
+    SUITE(TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, 0xC032),
+
+    SUITE(TLS_EMPTY_RENEGOTIATION_INFO_SCSV, 0x00FF),
+    SUITE(SSL_RSA_WITH_RC2_CBC_MD5, 0xFF80),
+    SUITE(SSL_RSA_WITH_IDEA_CBC_MD5, 0xFF81),
+    SUITE(SSL_RSA_WITH_DES_CBC_MD5, 0xFF82),
+    SUITE(SSL_RSA_WITH_3DES_EDE_CBC_MD5, 0xFF83),
+    SUITE(SSL_NO_SUCH_CIPHERSUITE, 0xFFFF)
   };
 #undef SUITE
 
-  static inline const char* suiteToString(const SSLCipherSuite suite)
+  static inline std::string suiteToString(const SSLCipherSuite suite)
   {
     for (auto & s : kSuites) {
       if (s.suite == suite) {
         return s.name;
       }
     }
-    return "Unknown suite";
+    std::stringstream ss;
+    ss << "Unknown suite (0x" << std::hex << suite << ") like TLS_NULL_WITH_NULL_NULL";
+    return ss.str();
   }
 
   static const char* kBlocked[] = {
-    "NULL", "anon", "MD5", "EXPORT", "DES", "IDEA", "NO_SUCH", "EMPTY"
+    "NULL", "anon", "MD5", "EXPORT", "DES", "IDEA", "NO_SUCH", "EMPTY", "PSK"
   };
 
   static inline bool isBlockedSuite(SSLCipherSuite suite)
   {
-    const char* name = suiteToString(suite);
+    using namespace aria2;
+
+    // Don't care about SSL2 suites!
+    std::string name = suiteToString(suite);
     for (auto& blocked : kBlocked) {
-      if (strstr(name, blocked)) {
+      if (strstr(name.c_str(), blocked)) {
+        A2_LOG_DEBUG(fmt("Removing blocked cipher suite: %s", name.c_str()));
         return true;
       }
     }
@@ -344,7 +400,7 @@ AppleTLSSession::AppleTLSSession(AppleTLSContext* ctx)
     return;
   }
   for (const auto& suite: enabled) {
-    A2_LOG_INFO(fmt("AppleTLS: Enabled suite %s", suiteToString(suite)));
+    A2_LOG_INFO(fmt("AppleTLS: Enabled suite %s", suiteToString(suite).c_str()));
   }
   if (SSLSetEnabledCiphers(sslCtx_, &enabled[0], enabled.size()) != noErr) {
     A2_LOG_ERROR("AppleTLS: Failed to set enabled ciphers list");
@@ -613,7 +669,7 @@ int AppleTLSSession::tlsConnect(const std::string& hostname, std::string& handsh
   A2_LOG_INFO(fmt("AppleTLS: Connected to %s with %s (%s)",
                   hostname.c_str(),
                   protoToString(proto),
-                  suiteToString(suite)));
+                  suiteToString(suite).c_str()));
 
   return TLS_ERR_OK;
 }