security: really enable TLS 1.2

2026-05-26 13:58:38 +00:00 · 2018-03-03 13:39:18 +08:00
parent 542617c382
commit 1c2db1c5b9
5 changed files with 13 additions and 1 deletions
@@ -83,6 +83,9 @@ var security = {
        case nsISSLStatus.TLS_VERSION_1_2:
          retval.version = "TLS 1.2"
          break;
+        case nsISSLStatus.TLS_VERSION_1_3:
+          retval.version = "TLS 1.3"
+          break;
      }

      return retval;
@@ -137,6 +137,7 @@ DEFAULT_GMAKE_FLAGS += NSPR_LIB_DIR=$(NSPR_LIB_DIR)
 DEFAULT_GMAKE_FLAGS += MOZILLA_CLIENT=1
 DEFAULT_GMAKE_FLAGS += NO_MDUPDATE=1
 DEFAULT_GMAKE_FLAGS += NSS_ENABLE_ECC=1
+DEFAULT_GMAKE_FLAGS += NSS_ENABLE_TLS_1_3=1
 ifeq ($(OS_ARCH)_$(GNU_CC),WINNT_1)
 DEFAULT_GMAKE_FLAGS += OS_DLLFLAGS='-static-libgcc'
 endif
@@ -21,6 +21,7 @@ interface nsISSLStatus : nsISupports {
  const short TLS_VERSION_1   = 1;
  const short TLS_VERSION_1_1 = 2;
  const short TLS_VERSION_1_2 = 3;
+  const short TLS_VERSION_1_3 = 4;
  readonly attribute unsigned long protocolVersion;

  readonly attribute boolean isDomainMismatch;
@@ -935,7 +935,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
  MOZ_ASSERT(rv == SECSuccess);
  if (rv == SECSuccess) {
    // Get the protocol version
-    // 0=ssl3, 1=tls1, 2=tls1.1, 3=tls1.2
+    // 0=ssl3, 1=tls1, 2=tls1.1, 3=tls1.2, 4=tls1.3
    unsigned int versionEnum = channelInfo.protocolVersion & 0xFF;

    SSLCipherSuiteInfo cipherInfo;
@@ -839,6 +839,13 @@ static const CipherPref CipherPrefs[] = {
 { "security.ssl3.ecdhe_ecdsa_camellia_128_gcm_sha256",
   TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, true },*/

+ { "security.tls13.aes_128_gcm_sha256",
+   TLS_AES_128_GCM_SHA256, true },
+ { "security.tls13.chacha20_poly1305_sha256",
+   TLS_CHACHA20_POLY1305_SHA256, true },
+ { "security.tls13.aes_256_gcm_sha384",
+   TLS_AES_256_GCM_SHA384, true },
+
 { "security.ssl3.ecdhe_ecdsa_aes_256_sha",
   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, true },
 { "security.ssl3.ecdhe_rsa_aes_256_sha",