diff options
| author | Moonchild <moonchild@palemoon.org> | 2021-10-11 22:16:04 +0000 |
|---|---|---|
| committer | Moonchild <moonchild@palemoon.org> | 2022-04-01 14:52:46 +0200 |
| commit | 1caa678592ac5c372975bdaa24ce01b470349b1f (patch) | |
| tree | 8c40267af010fb9469c11545eeeacac312680f07 /security | |
| parent | ddaee7c1be914cc28a28cbe27e5922215b3b2e6f (diff) | |
| download | uxp-1caa678592ac5c372975bdaa24ce01b470349b1f.tar.gz | |
Issue #1831 - Add an option to enable TLS 1.3 "compatibility" mode.
Critical note: this potentially reduces the strength of TLS 1.3 and
should only be enabled if absolutely necessary to access a site.
A browser restart is required for the pref change to take effect as it
is set on NSS initialization.
Resolves #1831
Diffstat (limited to 'security')
| -rw-r--r-- | security/manager/ssl/nsNSSComponent.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index 6e6d614410..b9f8b6e21d 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -1443,6 +1443,7 @@ static const bool FALSE_START_ENABLED_DEFAULT = true; static const bool NPN_ENABLED_DEFAULT = true; static const bool ALPN_ENABLED_DEFAULT = false; static const bool ENABLED_0RTT_DATA_DEFAULT = false; +static const bool TLS13_COMPAT_MODE_DEFAULT = false; static void ConfigureTLSSessionIdentifiers() @@ -1876,6 +1877,11 @@ nsNSSComponent::InitializeNSS() Preferences::GetBool("security.tls.enable_0rtt_data", ENABLED_0RTT_DATA_DEFAULT)); + // Set TLS 1.3 compatibility mode for bad middleware boxes? + SSL_OptionSetDefault(SSL_ENABLE_TLS13_COMPAT_MODE, + Preferences::GetBool("security.ssl.enable_tls13_compat_mode", + TLS13_COMPAT_MODE_DEFAULT)); + if (NS_FAILED(InitializeCipherSuite())) { MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("Unable to initialize cipher suite settings\n")); |