diff options
author | Moonchild <moonchild@palemoon.org> | 2023-03-28 13:36:37 +0200 |
---|---|---|
committer | Moonchild <moonchild@palemoon.org> | 2023-03-28 15:13:09 +0200 |
commit | 500ece900aacc117b4c3368e587a2d33bcb1519c (patch) | |
tree | d47132377e327ae22660c38a4557fe368a5a5414 /security | |
parent | f90106bd7e89dbb0d932698147fb1819f0a1b3e2 (diff) | |
download | uxp-500ece900aacc117b4c3368e587a2d33bcb1519c.tar.gz |
Issue #2180 - Add pref to control NSS TLS 1.3 protocol downgrade sentinel
Diffstat (limited to 'security')
-rw-r--r-- | security/manager/ssl/nsNSSComponent.cpp | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index 82defa2e83..49620c176e 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -1440,6 +1440,7 @@ static const bool NPN_ENABLED_DEFAULT = true; static const bool ALPN_ENABLED_DEFAULT = false; static const bool ENABLED_0RTT_DATA_DEFAULT = false; static const bool TLS13_COMPAT_MODE_DEFAULT = false; +static const bool HELLO_DOWNGRADE_CHECK_DEFAULT = true; static void ConfigureTLSSessionIdentifiers() @@ -1853,7 +1854,7 @@ nsNSSComponent::InitializeNSS() SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_REQUIRES_XTN); SSL_OptionSetDefault(SSL_ENABLE_EXTENDED_MASTER_SECRET, true); - + SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, Preferences::GetBool("security.ssl.enable_false_start", FALSE_START_ENABLED_DEFAULT)); @@ -1877,6 +1878,13 @@ nsNSSComponent::InitializeNSS() SSL_OptionSetDefault(SSL_ENABLE_TLS13_COMPAT_MODE, Preferences::GetBool("security.ssl.enable_tls13_compat_mode", TLS13_COMPAT_MODE_DEFAULT)); + + // Set TLS 1.3 hello downgrade sentinel? + bool enableDowngradeCheck = + Preferences::GetBool("security.tls.hello_downgrade_check", + HELLO_DOWNGRADE_CHECK_DEFAULT); + SSL_OptionSetDefault(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, enableDowngradeCheck); + if (NS_FAILED(InitializeCipherSuite())) { @@ -2040,6 +2048,11 @@ nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic, if (prefName.EqualsLiteral("security.tls.version.min") || prefName.EqualsLiteral("security.tls.version.max")) { (void) setEnabledTLSVersions(); + } else if (prefName.EqualsLiteral("security.tls.hello_downgrade_check")) { + bool enableDowngradeCheck = + Preferences::GetBool("security.tls.hello_downgrade_check", + HELLO_DOWNGRADE_CHECK_DEFAULT); + SSL_OptionSetDefault(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, enableDowngradeCheck); } else if (prefName.EqualsLiteral("security.ssl.require_safe_negotiation")) { bool requireSafeNegotiation = Preferences::GetBool("security.ssl.require_safe_negotiation", |