Bug 733642: Allow the user to enable any version of TLS that libssl supports, maintaining our current defaults, r=dolske

--HG--
extra : rebase_source : 3484236a9d357b70a88387e0f27d3757db79bd4b
This commit is contained in:
Brian Smith 2013-04-11 11:02:51 -07:00
parent 67d81b5f90
commit 7807ef4346
4 changed files with 51 additions and 16 deletions

View File

@ -1014,8 +1014,8 @@ pref("services.sync.prefs.sync.security.OCSP.disable_button.managecrl", true);
pref("services.sync.prefs.sync.security.OCSP.enabled", true);
pref("services.sync.prefs.sync.security.OCSP.require", true);
pref("services.sync.prefs.sync.security.default_personal_cert", true);
pref("services.sync.prefs.sync.security.enable_ssl3", true);
pref("services.sync.prefs.sync.security.enable_tls", true);
pref("services.sync.prefs.sync.security.security.tls.version.min", true);
pref("services.sync.prefs.sync.security.security.tls.version.max", true);
pref("services.sync.prefs.sync.signon.rememberSignons", true);
pref("services.sync.prefs.sync.spellchecker.dictionary", true);
pref("services.sync.prefs.sync.xpinstall.whitelist.required", true);

View File

@ -2,8 +2,8 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
pref("security.enable_ssl3", true);
pref("security.enable_tls", true);
pref("security.tls.version.min", 0);
pref("security.tls.version.max", 1);
pref("security.enable_tls_session_tickets", true);
pref("security.enable_md5_signatures", false);

View File

@ -1123,6 +1123,40 @@ void nsNSSComponent::setValidationOptions(nsIPrefBranch * pref)
SSL_ClearSessionCache();
}
// Enable the TLS versions given in the prefs, defaulting to SSL 3.0 and
// TLS 1.0 when the prefs aren't set or when they are set to invalid values.
nsresult
nsNSSComponent::setEnabledTLSVersions(nsIPrefBranch * prefBranch)
{
// keep these values in sync with security-prefs.js and firefox.js
static const PRInt32 PSM_DEFAULT_MIN_TLS_VERSION = 0;
static const PRInt32 PSM_DEFAULT_MAX_TLS_VERSION = 1;
PRInt32 minVersion = PSM_DEFAULT_MIN_TLS_VERSION;
PRInt32 maxVersion = PSM_DEFAULT_MAX_TLS_VERSION;
mPrefBranch->GetIntPref("security.tls.version.min", &minVersion);
mPrefBranch->GetIntPref("security.tls.version.max", &maxVersion);
// 0 means SSL 3.0, 1 means TLS 1.0, 2 means TLS 1.1, etc.
minVersion += SSL_LIBRARY_VERSION_3_0;
maxVersion += SSL_LIBRARY_VERSION_3_0;
SSLVersionRange range = { (PRUint16) minVersion, (PRUint16) maxVersion };
if (minVersion != (PRInt32) range.min || // prevent truncation
maxVersion != (PRInt32) range.max || // prevent truncation
SSL_VersionRangeSetDefault(ssl_variant_stream, &range) != SECSuccess) {
range.min = SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MIN_TLS_VERSION;
range.max = SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MAX_TLS_VERSION;
if (SSL_VersionRangeSetDefault(ssl_variant_stream, &range)
!= SECSuccess) {
return NS_ERROR_UNEXPECTED;
}
}
return NS_OK;
}
NS_IMETHODIMP
nsNSSComponent::SkipOcsp()
{
@ -1733,11 +1767,15 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
SSL_OptionSetDefault(SSL_ENABLE_SSL2, false);
SSL_OptionSetDefault(SSL_V2_COMPATIBLE_HELLO, false);
bool enabled;
mPrefBranch->GetBoolPref("security.enable_ssl3", &enabled);
SSL_OptionSetDefault(SSL_ENABLE_SSL3, enabled);
mPrefBranch->GetBoolPref("security.enable_tls", &enabled);
SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled);
rv = setEnabledTLSVersions(mPrefBranch);
if (NS_FAILED(rv)) {
nsPSMInitPanic::SetPanic();
return NS_ERROR_UNEXPECTED;
}
bool enabled = true; // XXX: see bug 733644
mPrefBranch->GetBoolPref("security.enable_md5_signatures", &enabled);
configureMD5(enabled);
@ -2218,13 +2256,9 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic,
bool enabled;
NS_ConvertUTF16toUTF8 prefName(someData);
if (prefName.Equals("security.enable_ssl3")) {
mPrefBranch->GetBoolPref("security.enable_ssl3", &enabled);
SSL_OptionSetDefault(SSL_ENABLE_SSL3, enabled);
clearSessionCache = true;
} else if (prefName.Equals("security.enable_tls")) {
mPrefBranch->GetBoolPref("security.enable_tls", &enabled);
SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled);
if (prefName.Equals("security.tls.version.min") ||
prefName.Equals("security.tls.version.max")) {
(void) setEnabledTLSVersions(mPrefBranch);
clearSessionCache = true;
} else if (prefName.Equals("security.enable_md5_signatures")) {
mPrefBranch->GetBoolPref("security.enable_md5_signatures", &enabled);

View File

@ -281,6 +281,7 @@ private:
void UnloadLoadableRoots();
void CleanupIdentityInfo();
void setValidationOptions(nsIPrefBranch * pref);
nsresult setEnabledTLSVersions(nsIPrefBranch * pref);
nsresult InitializePIPNSSBundle();
nsresult ConfigureInternalPKCS11Token();
nsresult RegisterPSMContentListener();