mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-12-04 11:26:09 +00:00
134 lines
4.9 KiB
Plaintext
134 lines
4.9 KiB
Plaintext
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#include "nsISupports.idl"
|
|
|
|
interface nsIInterfaceRequestor;
|
|
interface nsIX509Cert;
|
|
|
|
%{C++
|
|
template<class T> class nsTArray;
|
|
class nsCString;
|
|
%}
|
|
[ref] native nsCStringTArrayRef(nsTArray<nsCString>);
|
|
|
|
[scriptable, builtinclass, uuid(f160ec31-01f3-47f2-b542-0e12a647b07f)]
|
|
interface nsISSLSocketControl : nsISupports {
|
|
attribute nsIInterfaceRequestor notificationCallbacks;
|
|
|
|
void proxyStartSSL();
|
|
void StartTLS();
|
|
|
|
/* NPN (Next Protocol Negotiation) is a mechanism for
|
|
negotiating the protocol to be spoken inside the SSL
|
|
tunnel during the SSL handshake. The NPNList is the list
|
|
of offered client side protocols. setNPNList() needs to
|
|
be called before any data is read or written (including the
|
|
handshake to be setup correctly. The server determines the
|
|
priority when multiple matches occur, but if there is no overlap
|
|
the first protocol in the list is used. */
|
|
|
|
[noscript] void setNPNList(in nsCStringTArrayRef aNPNList);
|
|
|
|
/* negotiatedNPN is '' if no NPN list was provided by the client,
|
|
* or if the server did not select any protocol choice from that
|
|
* list. That also includes the case where the server does not
|
|
* implement NPN.
|
|
*
|
|
* If negotiatedNPN is read before NPN has progressed to the point
|
|
* where this information is available NS_ERROR_NOT_CONNECTED is
|
|
* raised.
|
|
*/
|
|
readonly attribute ACString negotiatedNPN;
|
|
|
|
/* Determine if a potential SSL connection to hostname:port with
|
|
* a desired NPN negotiated protocol of npnProtocol can use the socket
|
|
* associated with this object instead of making a new one.
|
|
*/
|
|
boolean joinConnection(
|
|
in ACString npnProtocol, /* e.g. "spdy/2" */
|
|
in ACString hostname,
|
|
in long port);
|
|
|
|
/* Determine if existing connection should be trusted to convey information about
|
|
* a hostname.
|
|
*/
|
|
boolean isAcceptableForHost(in ACString hostname);
|
|
|
|
/* The Key Exchange Algorithm is used when determining whether or
|
|
not to do false start and whether or not HTTP/2 can be used.
|
|
|
|
After a handshake is complete it can be read from KEAUsed,
|
|
before a handshake is started it may be set through KEAExpected.
|
|
The values correspond to the SSLKEAType enum in NSS or the
|
|
KEY_EXCHANGE_UNKNOWN constant defined below.
|
|
|
|
KEAKeyBits is the size/security-level used for the KEA.
|
|
*/
|
|
|
|
[infallible] readonly attribute short KEAUsed;
|
|
[infallible] attribute short KEAExpected;
|
|
[infallible] readonly attribute unsigned long KEAKeyBits;
|
|
|
|
const short KEY_EXCHANGE_UNKNOWN = -1;
|
|
|
|
/*
|
|
* The original flags from the socket provider.
|
|
*/
|
|
readonly attribute uint32_t providerFlags;
|
|
|
|
/* These values are defined by TLS. */
|
|
const short SSL_VERSION_3 = 0x0300;
|
|
const short TLS_VERSION_1 = 0x0301;
|
|
const short TLS_VERSION_1_1 = 0x0302;
|
|
const short TLS_VERSION_1_2 = 0x0303;
|
|
const short SSL_VERSION_UNKNOWN = -1;
|
|
|
|
[infallible] readonly attribute short SSLVersionUsed;
|
|
[infallible] readonly attribute short SSLVersionOffered;
|
|
|
|
/* These values match the NSS defined values in sslt.h */
|
|
const short SSL_MAC_UNKNOWN = -1;
|
|
const short SSL_MAC_NULL = 0;
|
|
const short SSL_MAC_MD5 = 1;
|
|
const short SSL_MAC_SHA = 2;
|
|
const short SSL_HMAC_MD5 = 3;
|
|
const short SSL_HMAC_SHA = 4;
|
|
const short SSL_HMAC_SHA256 = 5;
|
|
const short SSL_MAC_AEAD = 6;
|
|
|
|
[infallible] readonly attribute short MACAlgorithmUsed;
|
|
|
|
/**
|
|
* If set before the server requests a client cert (assuming it does so at
|
|
* all), then this cert will be presented to the server, instead of asking
|
|
* the user or searching the set of rememebered user cert decisions.
|
|
*/
|
|
attribute nsIX509Cert clientCert;
|
|
|
|
/**
|
|
* If you wish to verify the host certificate using a different name than
|
|
* was used for the tcp connection, but without using proxy semantics, you
|
|
* can set authenticationName and authenticationPort
|
|
*/
|
|
attribute ACString authenticationName;
|
|
[infallible] attribute long authenticationPort;
|
|
|
|
/**
|
|
* set bypassAuthentication to true if the server certificate checks should
|
|
* not be enforced. This is to enable non-secure transport over TLS.
|
|
*/
|
|
[infallible] attribute boolean bypassAuthentication;
|
|
|
|
/*
|
|
* failedVerification is true if any enforced certificate checks have failed.
|
|
* Connections that have not yet tried to verify, have verifications bypassed,
|
|
* or are using acceptable exceptions will all return false.
|
|
*/
|
|
[infallible] readonly attribute boolean failedVerification;
|
|
};
|
|
|