nsNSSComponent: adapted new NSS functions for newer TLS versions.

This commit is contained in:
roytam1 2018-05-04 22:17:21 +08:00
parent 4b7c400df2
commit 14c631acd3

View File

@ -949,6 +949,9 @@ static CipherPref CipherPrefs[] = {
{"security.ssl3.dhe_dss_des_sha", SSL_DHE_DSS_WITH_DES_CBC_SHA}, // 56-bit DES encryption with DSA, DHE, and a SHA1 MAC {"security.ssl3.dhe_dss_des_sha", SSL_DHE_DSS_WITH_DES_CBC_SHA}, // 56-bit DES encryption with DSA, DHE, and a SHA1 MAC
{"security.ssl3.rsa_null_sha", SSL_RSA_WITH_NULL_SHA}, // No encryption with RSA authentication and a SHA1 MAC {"security.ssl3.rsa_null_sha", SSL_RSA_WITH_NULL_SHA}, // No encryption with RSA authentication and a SHA1 MAC
{"security.ssl3.rsa_null_md5", SSL_RSA_WITH_NULL_MD5}, // No encryption with RSA authentication and an MD5 MAC {"security.ssl3.rsa_null_md5", SSL_RSA_WITH_NULL_MD5}, // No encryption with RSA authentication and an MD5 MAC
{"security.ssl3.rsa_seed_sha", TLS_RSA_WITH_SEED_CBC_SHA}, // SEED encryption with RSA and a SHA1 MAC
{"security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, // 128-bit AES-GCM encryption with ECDHE-ECDSA
{"security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, // 128-bit AES-GCM encryption with ECDHE-RSA
{NULL, 0} /* end marker */ {NULL, 0} /* end marker */
}; };
@ -1527,6 +1530,10 @@ nsNSSComponent::InitializeNSS(PRBool showWarningBox)
mPrefBranch->GetBoolPref("security.enable_tls", &enabled); mPrefBranch->GetBoolPref("security.enable_tls", &enabled);
SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled); SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled);
SSLVersionRange supported;
SSL_VersionRangeGetSupported(ssl_variant_stream, &supported);
SSL_VersionRangeSetDefault(ssl_variant_stream, &supported);
// Disable any ciphers that NSS might have enabled by default // Disable any ciphers that NSS might have enabled by default
for (PRUint16 i = 0; i < SSL_NumImplementedCiphers; ++i) for (PRUint16 i = 0; i < SSL_NumImplementedCiphers; ++i)
{ {
@ -2031,6 +2038,11 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic,
} else if (prefName.Equals("security.enable_tls")) { } else if (prefName.Equals("security.enable_tls")) {
mPrefBranch->GetBoolPref("security.enable_tls", &enabled); mPrefBranch->GetBoolPref("security.enable_tls", &enabled);
SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled); SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled);
SSLVersionRange supported;
SSL_VersionRangeGetSupported(ssl_variant_stream, &supported);
SSL_VersionRangeSetDefault(ssl_variant_stream, &supported);
} else if (prefName.Equals("security.OCSP.enabled")) { } else if (prefName.Equals("security.OCSP.enabled")) {
setOCSPOptions(mPrefBranch); setOCSPOptions(mPrefBranch);
} else { } else {