diff options
| author | Moonchild <moonchild@palemoon.org> | 2021-10-11 22:16:04 +0000 |
|---|---|---|
| committer | Moonchild <moonchild@palemoon.org> | 2022-04-01 14:52:46 +0200 |
| commit | 1caa678592ac5c372975bdaa24ce01b470349b1f (patch) | |
| tree | 8c40267af010fb9469c11545eeeacac312680f07 | |
| parent | ddaee7c1be914cc28a28cbe27e5922215b3b2e6f (diff) | |
| download | uxp-1caa678592ac5c372975bdaa24ce01b470349b1f.tar.gz | |
Issue #1831 - Add an option to enable TLS 1.3 "compatibility" mode.
Critical note: this potentially reduces the strength of TLS 1.3 and
should only be enabled if absolutely necessary to access a site.
A browser restart is required for the pref change to take effect as it
is set on NSS initialization.
Resolves #1831
| -rw-r--r-- | netwerk/base/security-prefs.js | 6 | ||||
| -rw-r--r-- | security/manager/ssl/nsNSSComponent.cpp | 6 |
2 files changed, 12 insertions, 0 deletions
diff --git a/netwerk/base/security-prefs.js b/netwerk/base/security-prefs.js index 973c731239..745f1072c8 100644 --- a/netwerk/base/security-prefs.js +++ b/netwerk/base/security-prefs.js @@ -120,6 +120,12 @@ pref("security.webauth.u2f_enable_usbtoken", false); // OCSP must-staple pref("security.ssl.enable_ocsp_must_staple", true); +// Enable TLS 1.3 compatmode version for bad middleware boxes? +// This is a holdover from the later draft specs and SHOULD NOT be enabled by +// default. ONLY use this when you explicitly need it. You have been warned! +// Restart required. +pref("security.ssl.enable_tls13_compat_mode", false); + // If a request is mixed-content, send an HSTS priming request to attempt to // see if it is available over HTTPS. pref("security.mixed_content.send_hsts_priming", true); diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index 6e6d614410..b9f8b6e21d 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -1443,6 +1443,7 @@ static const bool FALSE_START_ENABLED_DEFAULT = true; static const bool NPN_ENABLED_DEFAULT = true; static const bool ALPN_ENABLED_DEFAULT = false; static const bool ENABLED_0RTT_DATA_DEFAULT = false; +static const bool TLS13_COMPAT_MODE_DEFAULT = false; static void ConfigureTLSSessionIdentifiers() @@ -1876,6 +1877,11 @@ nsNSSComponent::InitializeNSS() Preferences::GetBool("security.tls.enable_0rtt_data", ENABLED_0RTT_DATA_DEFAULT)); + // Set TLS 1.3 compatibility mode for bad middleware boxes? + SSL_OptionSetDefault(SSL_ENABLE_TLS13_COMPAT_MODE, + Preferences::GetBool("security.ssl.enable_tls13_compat_mode", + TLS13_COMPAT_MODE_DEFAULT)); + if (NS_FAILED(InitializeCipherSuite())) { MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("Unable to initialize cipher suite settings\n")); |