2 files changed, 17 insertions, 3 deletions

diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h
index aa4bfc647..8d4e709db 100644
--- a/src/include/ipxe/tls.h
+++ b/src/include/ipxe/tls.h
@@ -77,6 +77,8 @@ struct tls_header {
 #define TLS_RSA_WITH_NULL_SHA 0x0002
 #define TLS_RSA_WITH_AES_128_CBC_SHA 0x002f
 #define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035
+#define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003c
+#define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003d
 
 /* TLS extension types */
 #define TLS_SERVER_NAME 0
diff --git a/src/net/tls.c b/src/net/tls.c
index 517a13e15..4195e5c77 100644
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -513,6 +513,16 @@ static int tls_select_cipher ( struct tls_session *tls,
 		cipher = &aes_cbc_algorithm;
 		digest = &sha1_algorithm;
 		break;
+	case htons ( TLS_RSA_WITH_AES_128_CBC_SHA256 ):
+		key_len = ( 128 / 8 );
+		cipher = &aes_cbc_algorithm;
+		digest = &sha256_algorithm;
+		break;
+	case htons ( TLS_RSA_WITH_AES_256_CBC_SHA256 ):
+		key_len = ( 256 / 8 );
+		cipher = &aes_cbc_algorithm;
+		digest = &sha256_algorithm;
+		break;
 	default:
 		DBGC ( tls, "TLS %p does not support cipher %04x\n",
 		       tls, ntohs ( cipher_suite ) );
@@ -677,7 +687,7 @@ static int tls_send_client_hello ( struct tls_session *tls ) {
 		uint8_t random[32];
 		uint8_t session_id_len;
 		uint16_t cipher_suite_len;
-		uint16_t cipher_suites[2];
+		uint16_t cipher_suites[4];
 		uint8_t compression_methods_len;
 		uint8_t compression_methods[1];
 		uint16_t extensions_len;
@@ -702,8 +712,10 @@ static int tls_send_client_hello ( struct tls_session *tls ) {
 	hello.version = htons ( tls->version );
 	memcpy ( &hello.random, &tls->client_random, sizeof ( hello.random ) );
 	hello.cipher_suite_len = htons ( sizeof ( hello.cipher_suites ) );
-	hello.cipher_suites[0] = htons ( TLS_RSA_WITH_AES_128_CBC_SHA );
-	hello.cipher_suites[1] = htons ( TLS_RSA_WITH_AES_256_CBC_SHA );
+	hello.cipher_suites[0] = htons ( TLS_RSA_WITH_AES_256_CBC_SHA256 );
+	hello.cipher_suites[1] = htons ( TLS_RSA_WITH_AES_128_CBC_SHA256 );
+	hello.cipher_suites[2] = htons ( TLS_RSA_WITH_AES_256_CBC_SHA );
+	hello.cipher_suites[3] = htons ( TLS_RSA_WITH_AES_128_CBC_SHA );
 	hello.compression_methods_len = sizeof ( hello.compression_methods );
 	hello.extensions_len = htons ( sizeof ( hello.extensions ) );
 	hello.extensions.server_name_type = htons ( TLS_SERVER_NAME );