diff options
| author | Moonchild <moonchild@palemoon.org> | 2021-10-11 22:16:04 +0000 |
|---|---|---|
| committer | Moonchild <moonchild@palemoon.org> | 2021-11-05 11:34:02 +0000 |
| commit | d3163822fbb2f203b7eca1e21f35b637f09981e9 (patch) | |
| tree | 1e5d235cad2c68600fca6c6b0405dde210da0802 | |
| parent | 7b636b886906f0334e2159f473931c4f6443fae9 (diff) | |
| download | uxp-d3163822fbb2f203b7eca1e21f35b637f09981e9.tar.gz | |
Issue #3004 - Add an option to enable TLS 1.3 "compatibility" mode.
Critical note: this potentially reduces the strength of TLS 1.3 and should only
be enabled if absolutely necessary to access a site.
A browser restart is required for the pref change to take effect as it is set on
NSS initialization.
| -rw-r--r-- | netwerk/base/security-prefs.js | 6 | ||||
| -rw-r--r-- | security/manager/ssl/nsNSSComponent.cpp | 6 |
2 files changed, 12 insertions, 0 deletions
diff --git a/netwerk/base/security-prefs.js b/netwerk/base/security-prefs.js index 973c731239..745f1072c8 100644 --- a/netwerk/base/security-prefs.js +++ b/netwerk/base/security-prefs.js @@ -120,6 +120,12 @@ pref("security.webauth.u2f_enable_usbtoken", false); // OCSP must-staple pref("security.ssl.enable_ocsp_must_staple", true); +// Enable TLS 1.3 compatmode version for bad middleware boxes? +// This is a holdover from the later draft specs and SHOULD NOT be enabled by +// default. ONLY use this when you explicitly need it. You have been warned! +// Restart required. +pref("security.ssl.enable_tls13_compat_mode", false); + // If a request is mixed-content, send an HSTS priming request to attempt to // see if it is available over HTTPS. pref("security.mixed_content.send_hsts_priming", true); diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index 6e6d614410..b9f8b6e21d 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -1443,6 +1443,7 @@ static const bool FALSE_START_ENABLED_DEFAULT = true; static const bool NPN_ENABLED_DEFAULT = true; static const bool ALPN_ENABLED_DEFAULT = false; static const bool ENABLED_0RTT_DATA_DEFAULT = false; +static const bool TLS13_COMPAT_MODE_DEFAULT = false; static void ConfigureTLSSessionIdentifiers() @@ -1876,6 +1877,11 @@ nsNSSComponent::InitializeNSS() Preferences::GetBool("security.tls.enable_0rtt_data", ENABLED_0RTT_DATA_DEFAULT)); + // Set TLS 1.3 compatibility mode for bad middleware boxes? + SSL_OptionSetDefault(SSL_ENABLE_TLS13_COMPAT_MODE, + Preferences::GetBool("security.ssl.enable_tls13_compat_mode", + TLS13_COMPAT_MODE_DEFAULT)); + if (NS_FAILED(InitializeCipherSuite())) { MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("Unable to initialize cipher suite settings\n")); |