diff options
| author | Moonchild <moonchild@palemoon.org> | 2023-03-28 13:36:37 +0200 |
|---|---|---|
| committer | Moonchild <moonchild@palemoon.org> | 2023-03-28 15:13:09 +0200 |
| commit | 500ece900aacc117b4c3368e587a2d33bcb1519c (patch) | |
| tree | d47132377e327ae22660c38a4557fe368a5a5414 /netwerk | |
| parent | f90106bd7e89dbb0d932698147fb1819f0a1b3e2 (diff) | |
| download | uxp-500ece900aacc117b4c3368e587a2d33bcb1519c.tar.gz | |
Issue #2180 - Add pref to control NSS TLS 1.3 protocol downgrade sentinel
Diffstat (limited to 'netwerk')
| -rw-r--r-- | netwerk/base/security-prefs.js | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/netwerk/base/security-prefs.js b/netwerk/base/security-prefs.js index f22a49444b..d0adccd879 100644 --- a/netwerk/base/security-prefs.js +++ b/netwerk/base/security-prefs.js @@ -118,6 +118,15 @@ pref("security.ssl.enable_ocsp_must_staple", true); // Restart required. pref("security.ssl.enable_tls13_compat_mode", false); +// Enable TLS 1.3 hello downgrade sentinel? +// One of the key protections offered by TLS 1.3 is preventing protocol downgrades +// as part of the initial handshake. +// Some domains, middleware and transparent routers may try to downgrade connections +// this way (which is a bad thing!). To allow users to connect anyway this +// check can be disabled here. Default is for the sentinel to be enabled, preventing +// bad downgrades of the protocol version. +pref("security.tls.hello_downgrade_check", true); + // If a request is mixed-content, send an HSTS priming request to attempt to // see if it is available over HTTPS. pref("security.mixed_content.send_hsts_priming", true); |