From 7807ef43468ec2bfdbba6257621fcbf3e9e44dd2 Mon Sep 17 00:00:00 2001 From: Brian Smith Date: Thu, 11 Apr 2013 11:02:51 -0700 Subject: [PATCH] Bug 733642: Allow the user to enable any version of TLS that libssl supports, maintaining our current defaults, r=dolske --HG-- extra : rebase_source : 3484236a9d357b70a88387e0f27d3757db79bd4b --- browser/app/profile/firefox.js | 4 +- netwerk/base/public/security-prefs.js | 4 +- security/manager/ssl/src/nsNSSComponent.cpp | 58 ++++++++++++++++----- security/manager/ssl/src/nsNSSComponent.h | 1 + 4 files changed, 51 insertions(+), 16 deletions(-) diff --git a/browser/app/profile/firefox.js b/browser/app/profile/firefox.js index 3f971113fcc3..ae2642280ce0 100644 --- a/browser/app/profile/firefox.js +++ b/browser/app/profile/firefox.js @@ -1014,8 +1014,8 @@ pref("services.sync.prefs.sync.security.OCSP.disable_button.managecrl", true); pref("services.sync.prefs.sync.security.OCSP.enabled", true); pref("services.sync.prefs.sync.security.OCSP.require", true); pref("services.sync.prefs.sync.security.default_personal_cert", true); -pref("services.sync.prefs.sync.security.enable_ssl3", true); -pref("services.sync.prefs.sync.security.enable_tls", true); +pref("services.sync.prefs.sync.security.security.tls.version.min", true); +pref("services.sync.prefs.sync.security.security.tls.version.max", true); pref("services.sync.prefs.sync.signon.rememberSignons", true); pref("services.sync.prefs.sync.spellchecker.dictionary", true); pref("services.sync.prefs.sync.xpinstall.whitelist.required", true); diff --git a/netwerk/base/public/security-prefs.js b/netwerk/base/public/security-prefs.js index 296ba2208c0a..e03792562d39 100644 --- a/netwerk/base/public/security-prefs.js +++ b/netwerk/base/public/security-prefs.js @@ -2,8 +2,8 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -pref("security.enable_ssl3", true); -pref("security.enable_tls", true); +pref("security.tls.version.min", 0); +pref("security.tls.version.max", 1); pref("security.enable_tls_session_tickets", true); pref("security.enable_md5_signatures", false); diff --git a/security/manager/ssl/src/nsNSSComponent.cpp b/security/manager/ssl/src/nsNSSComponent.cpp index e08fc387fee6..8b91e5fc82e2 100644 --- a/security/manager/ssl/src/nsNSSComponent.cpp +++ b/security/manager/ssl/src/nsNSSComponent.cpp @@ -1123,6 +1123,40 @@ void nsNSSComponent::setValidationOptions(nsIPrefBranch * pref) SSL_ClearSessionCache(); } +// Enable the TLS versions given in the prefs, defaulting to SSL 3.0 and +// TLS 1.0 when the prefs aren't set or when they are set to invalid values. +nsresult +nsNSSComponent::setEnabledTLSVersions(nsIPrefBranch * prefBranch) +{ + // keep these values in sync with security-prefs.js and firefox.js + static const PRInt32 PSM_DEFAULT_MIN_TLS_VERSION = 0; + static const PRInt32 PSM_DEFAULT_MAX_TLS_VERSION = 1; + + PRInt32 minVersion = PSM_DEFAULT_MIN_TLS_VERSION; + PRInt32 maxVersion = PSM_DEFAULT_MAX_TLS_VERSION; + mPrefBranch->GetIntPref("security.tls.version.min", &minVersion); + mPrefBranch->GetIntPref("security.tls.version.max", &maxVersion); + + // 0 means SSL 3.0, 1 means TLS 1.0, 2 means TLS 1.1, etc. + minVersion += SSL_LIBRARY_VERSION_3_0; + maxVersion += SSL_LIBRARY_VERSION_3_0; + + SSLVersionRange range = { (PRUint16) minVersion, (PRUint16) maxVersion }; + + if (minVersion != (PRInt32) range.min || // prevent truncation + maxVersion != (PRInt32) range.max || // prevent truncation + SSL_VersionRangeSetDefault(ssl_variant_stream, &range) != SECSuccess) { + range.min = SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MIN_TLS_VERSION; + range.max = SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MAX_TLS_VERSION; + if (SSL_VersionRangeSetDefault(ssl_variant_stream, &range) + != SECSuccess) { + return NS_ERROR_UNEXPECTED; + } + } + + return NS_OK; +} + NS_IMETHODIMP nsNSSComponent::SkipOcsp() { @@ -1733,11 +1767,15 @@ nsNSSComponent::InitializeNSS(bool showWarningBox) SSL_OptionSetDefault(SSL_ENABLE_SSL2, false); SSL_OptionSetDefault(SSL_V2_COMPATIBLE_HELLO, false); - bool enabled; - mPrefBranch->GetBoolPref("security.enable_ssl3", &enabled); - SSL_OptionSetDefault(SSL_ENABLE_SSL3, enabled); - mPrefBranch->GetBoolPref("security.enable_tls", &enabled); - SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled); + + rv = setEnabledTLSVersions(mPrefBranch); + if (NS_FAILED(rv)) { + nsPSMInitPanic::SetPanic(); + return NS_ERROR_UNEXPECTED; + } + + bool enabled = true; // XXX: see bug 733644 + mPrefBranch->GetBoolPref("security.enable_md5_signatures", &enabled); configureMD5(enabled); @@ -2218,13 +2256,9 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic, bool enabled; NS_ConvertUTF16toUTF8 prefName(someData); - if (prefName.Equals("security.enable_ssl3")) { - mPrefBranch->GetBoolPref("security.enable_ssl3", &enabled); - SSL_OptionSetDefault(SSL_ENABLE_SSL3, enabled); - clearSessionCache = true; - } else if (prefName.Equals("security.enable_tls")) { - mPrefBranch->GetBoolPref("security.enable_tls", &enabled); - SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled); + if (prefName.Equals("security.tls.version.min") || + prefName.Equals("security.tls.version.max")) { + (void) setEnabledTLSVersions(mPrefBranch); clearSessionCache = true; } else if (prefName.Equals("security.enable_md5_signatures")) { mPrefBranch->GetBoolPref("security.enable_md5_signatures", &enabled); diff --git a/security/manager/ssl/src/nsNSSComponent.h b/security/manager/ssl/src/nsNSSComponent.h index 37eab89a38f7..0f3ee52818ed 100644 --- a/security/manager/ssl/src/nsNSSComponent.h +++ b/security/manager/ssl/src/nsNSSComponent.h @@ -281,6 +281,7 @@ private: void UnloadLoadableRoots(); void CleanupIdentityInfo(); void setValidationOptions(nsIPrefBranch * pref); + nsresult setEnabledTLSVersions(nsIPrefBranch * pref); nsresult InitializePIPNSSBundle(); nsresult ConfigureInternalPKCS11Token(); nsresult RegisterPSMContentListener();