diff options
-rw-r--r-- | netwerk/base/security-prefs.js | 6 | ||||
-rw-r--r-- | security/manager/ssl/nsNSSComponent.cpp | 6 |
2 files changed, 12 insertions, 0 deletions
diff --git a/netwerk/base/security-prefs.js b/netwerk/base/security-prefs.js index 973c731239..745f1072c8 100644 --- a/netwerk/base/security-prefs.js +++ b/netwerk/base/security-prefs.js @@ -120,6 +120,12 @@ pref("security.webauth.u2f_enable_usbtoken", false); // OCSP must-staple pref("security.ssl.enable_ocsp_must_staple", true); +// Enable TLS 1.3 compatmode version for bad middleware boxes? +// This is a holdover from the later draft specs and SHOULD NOT be enabled by +// default. ONLY use this when you explicitly need it. You have been warned! +// Restart required. +pref("security.ssl.enable_tls13_compat_mode", false); + // If a request is mixed-content, send an HSTS priming request to attempt to // see if it is available over HTTPS. pref("security.mixed_content.send_hsts_priming", true); diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index 6e6d614410..b9f8b6e21d 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -1443,6 +1443,7 @@ static const bool FALSE_START_ENABLED_DEFAULT = true; static const bool NPN_ENABLED_DEFAULT = true; static const bool ALPN_ENABLED_DEFAULT = false; static const bool ENABLED_0RTT_DATA_DEFAULT = false; +static const bool TLS13_COMPAT_MODE_DEFAULT = false; static void ConfigureTLSSessionIdentifiers() @@ -1876,6 +1877,11 @@ nsNSSComponent::InitializeNSS() Preferences::GetBool("security.tls.enable_0rtt_data", ENABLED_0RTT_DATA_DEFAULT)); + // Set TLS 1.3 compatibility mode for bad middleware boxes? + SSL_OptionSetDefault(SSL_ENABLE_TLS13_COMPAT_MODE, + Preferences::GetBool("security.ssl.enable_tls13_compat_mode", + TLS13_COMPAT_MODE_DEFAULT)); + if (NS_FAILED(InitializeCipherSuite())) { MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("Unable to initialize cipher suite settings\n")); |