Reinstate RC4 and mark 3DES weak.

Tag mcp-graveyard/UXP%709

2 files changed, 9 insertions, 1 deletions

diff --git a/netwerk/base/security-prefs.js b/netwerk/base/security-prefs.js
index cfbbf4a45..7d63267a6 100644
--- a/netwerk/base/security-prefs.js
+++ b/netwerk/base/security-prefs.js
@@ -42,6 +42,8 @@ pref("security.ssl3.dhe_rsa_aes_128_sha", false);
 pref("security.ssl3.rsa_aes_128_gcm_sha256", false);
 pref("security.ssl3.rsa_aes_128_sha256", false);
 pref("security.ssl3.rsa_des_ede3_sha", false);
+pref("security.ssl3.rsa_rc4_128_sha", false);
+pref("security.ssl3.rsa_rc4_128_md5", false);
 
 pref("security.content.signature.root_hash",
      "97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E");
diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp
index acaf9da90..69b36d85f 100644
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -1376,12 +1376,18 @@ static const CipherPref sCipherPrefs[] = {
    TLS_RSA_WITH_AES_256_CBC_SHA, true },
 
 // Expensive/deprecated/weak
+// Deprecated
  { "security.ssl3.rsa_aes_128_gcm_sha256",
    TLS_RSA_WITH_AES_128_GCM_SHA256, false }, // Deprecated
  { "security.ssl3.rsa_aes_128_sha256",
    TLS_RSA_WITH_AES_128_CBC_SHA256, false }, // Deprecated
+// Weak/vulnerable
  { "security.ssl3.rsa_des_ede3_sha",
-   TLS_RSA_WITH_3DES_EDE_CBC_SHA, false }, // Weak (3DES)
+   TLS_RSA_WITH_3DES_EDE_CBC_SHA, false, true }, // Weak (3DES)
+ { "security.ssl3.rsa_rc4_128_sha",
+   TLS_RSA_WITH_RC4_128_SHA, false, true }, // RC4
+ { "security.ssl3.rsa_rc4_128_md5",
+   TLS_RSA_WITH_RC4_128_MD5, false, true }, // RC4, HMAC-MD5
 
  // All the rest are disabled