Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2025-04-02 04:22:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1606734 - Disable TLS 1.0 and 1.1 by default, r=keeler

Browse Source 
Also backs out the changes from Bug 1599756.

Differential Revision: https://phabricator.services.mozilla.com/D58583

--HG--
extra : moz-landing-system : lando
This commit is contained in:
Martin Thomson 2020-01-07 00:54:27 +00:00
parent 855264d3a5
commit 06d4c069b8
3 changed files with 14 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
modules/libpref/init/all.js
View File

@ -19,11 +19,7 @@
// improves readability, particular for conditional blocks that exceed a single
// screen.
#if MOZ_UPDATE_CHANNEL == release || MOZ_UPDATE_CHANNEL == esr
pref("security.tls.version.min", 1);
#else
pref("security.tls.version.min", 3);
#endif
pref("security.tls.version.min", 3);
pref("security.tls.version.max", 4);
pref("security.tls.version.enable-deprecated", false);
pref("security.tls.version.fallback-limit", 4);

11
security/manager/ssl/nsNSSComponent.cpp
View File

@ -1313,25 +1313,26 @@ void nsNSSComponent::UpdateCertVerifierWithEnterpriseRoots() {
mEnterpriseCerts);
}
// Enable the TLS versions given in the prefs, defaulting to TLS 1.0 (min) and
// TLS 1.2 (max) when the prefs aren't set or set to invalid values.
// Enable the TLS versions given in the prefs, defaulting to TLS 1.2 (min) and
// TLS 1.3 (max) when the prefs aren't set or set to invalid values.
nsresult nsNSSComponent::setEnabledTLSVersions() {
// Keep these values in sync with all.js.
// 1 means TLS 1.0, 2 means TLS 1.1, etc.
static const uint32_t PSM_DEFAULT_MIN_TLS_VERSION = 1;
static const uint32_t PSM_DEFAULT_MIN_TLS_VERSION = 3;
static const uint32_t PSM_DEFAULT_MAX_TLS_VERSION = 4;
static const uint32_t PSM_DEPRECATED_TLS_VERSION = 1;
uint32_t minFromPrefs = Preferences::GetUint("security.tls.version.min",
PSM_DEFAULT_MIN_TLS_VERSION);
uint32_t maxFromPrefs = Preferences::GetUint("security.tls.version.max",
PSM_DEFAULT_MAX_TLS_VERSION);
// This override should be removed when PSM_DEFAULT_MIN_TLS_VERSION is
// This override should be removed after PSM_DEFAULT_MIN_TLS_VERSION is
// increased to 3 in March 2020, see bug 1579285.
bool enableDeprecated =
Preferences::GetBool("security.tls.version.enable-deprecated", false);
if (enableDeprecated) {
minFromPrefs = std::min(minFromPrefs, PSM_DEFAULT_MIN_TLS_VERSION);
minFromPrefs = std::min(minFromPrefs, PSM_DEPRECATED_TLS_VERSION);
}
SSLVersionRange defaults = {

19
toolkit/components/extensions/test/xpcshell/test_ext_privacy.js
View File

@ -24,11 +24,6 @@ AddonTestUtils.overrideCertDB();
createAppInfo("xpcshell@tests.mozilla.org", "XPCShell", "1", "42");
// Currently security.tls.version.min has a different default
// value in Nightly and Beta/Release builds.
const tlsMinPref = Services.prefs.getIntPref("security.tls.version.min");
const tlsMinVer = tlsMinPref === 3 ? "TLSv1.2" : "TLSv1";
add_task(async function test_privacy() {
// Create an object to hold the values to which we will initialize the prefs.
const SETTINGS = {
@ -284,7 +279,7 @@ add_task(async function test_privacy_other_prefs() {
"media.peerconnection.ice.proxy_only": false,
},
"network.tlsVersionRestriction": {
"security.tls.version.min": 1,
"security.tls.version.min": 3,
"security.tls.version.max": 4,
},
"network.peerConnectionEnabled": {
@ -590,11 +585,11 @@ add_task(async function test_privacy_other_prefs() {
maximum: "TLSv1.1",
},
{
"security.tls.version.min": tlsMinPref,
"security.tls.version.min": 3,
"security.tls.version.max": 2,
},
{
minimum: tlsMinVer,
minimum: "TLSv1.2",
maximum: "TLSv1.1",
}
);
@ -606,11 +601,11 @@ add_task(async function test_privacy_other_prefs() {
maximum: "invalid",
},
{
"security.tls.version.min": tlsMinPref,
"security.tls.version.min": 3,
"security.tls.version.max": 4,
},
{
minimum: tlsMinVer,
minimum: "TLSv1.2",
maximum: "TLSv1.3",
}
);
@ -652,11 +647,11 @@ add_task(async function test_privacy_other_prefs() {
maximum: "TLSv1.2",
},
{
"security.tls.version.min": tlsMinPref,
"security.tls.version.min": 3,
"security.tls.version.max": 3,
},
{
minimum: tlsMinVer,
minimum: "TLSv1.2",
maximum: "TLSv1.2",
}
);