From e52817d90af39b70cc2fa86845e6f9dec40c3852 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Wed, 20 Apr 2016 11:59:19 +0200 Subject: [PATCH] Security: Hook up Camellia ciphers, disable RC4. --- netwerk/base/security-prefs.js | 16 +++++++---- security/manager/ssl/src/nsNSSComponent.cpp | 32 ++++++++++++++------- 2 files changed, 32 insertions(+), 16 deletions(-) diff --git a/netwerk/base/security-prefs.js b/netwerk/base/security-prefs.js index a8a8c1cc5a..772dde52b9 100644 --- a/netwerk/base/security-prefs.js +++ b/netwerk/base/security-prefs.js @@ -20,19 +20,25 @@ pref("security.ssl.enable_alpn", true); pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true); pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true); +pref("security.ssl3.ecdhe_rsa_camellia_128_gcm_sha256", true); +pref("security.ssl3.ecdhe_ecdsa_camellia_128_gcm_sha256", true); pref("security.ssl3.ecdhe_rsa_aes_128_sha", true); pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", true); pref("security.ssl3.ecdhe_rsa_aes_256_sha", true); pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true); pref("security.ssl3.dhe_rsa_aes_128_sha", true); +pref("security.ssl3.dhe_rsa_camellia_128_sha", true); pref("security.ssl3.dhe_rsa_aes_256_sha", true); -pref("security.ssl3.ecdhe_rsa_rc4_128_sha", true); -pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", true); +pref("security.ssl3.dhe_rsa_camellia_256_sha", true); +pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false); +pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false); pref("security.ssl3.rsa_aes_128_sha", true); +pref("security.ssl3.rsa_camellia_128_sha", true); pref("security.ssl3.rsa_aes_256_sha", true); +pref("security.ssl3.rsa_camellia_256_sha", true); pref("security.ssl3.rsa_des_ede3_sha", true); -pref("security.ssl3.rsa_rc4_128_sha", true); -pref("security.ssl3.rsa_rc4_128_md5", true); +pref("security.ssl3.rsa_rc4_128_sha", false); +pref("security.ssl3.rsa_rc4_128_md5", false); pref("security.default_personal_cert", "Ask Every Time"); pref("security.remember_cert_checkbox_default_setting", true); @@ -43,6 +49,6 @@ pref("security.OCSP.enabled", 1); pref("security.OCSP.require", false); pref("security.OCSP.GET.enabled", false); -pref("security.ssl.errorReporting.enabled", true); +pref("security.ssl.errorReporting.enabled", false); pref("security.ssl.errorReporting.url", "https://data.mozilla.com/submit/sslreports"); pref("security.ssl.errorReporting.automatic", false); diff --git a/security/manager/ssl/src/nsNSSComponent.cpp b/security/manager/ssl/src/nsNSSComponent.cpp index 13dbd1ea0f..ffcb984031 100644 --- a/security/manager/ssl/src/nsNSSComponent.cpp +++ b/security/manager/ssl/src/nsNSSComponent.cpp @@ -632,32 +632,42 @@ typedef struct { } CipherPref; // Update the switch statement in HandshakeCallback in nsNSSCallbacks.cpp when -// you add/remove cipher suites here. +// you add/remove cipher suites here. (Telemetry) static const CipherPref sCipherPrefs[] = { { "security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, true }, { "security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, true }, - { "security.ssl3.ecdhe_rsa_aes_128_sha", - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, true }, - { "security.ssl3.ecdhe_ecdsa_aes_128_sha", - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, true }, + + { "security.ssl3.ecdhe_rsa_camellia_128_gcm_sha256", + TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, true }, + { "security.ssl3.ecdhe_ecdsa_camellia_128_gcm_sha256", + TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, true }, { "security.ssl3.ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, true }, { "security.ssl3.ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, true }, - { "security.ssl3.dhe_rsa_aes_128_sha", - TLS_DHE_RSA_WITH_AES_128_CBC_SHA, true }, + { "security.ssl3.ecdhe_rsa_aes_128_sha", + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, true }, + { "security.ssl3.ecdhe_ecdsa_aes_128_sha", + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, true }, { "security.ssl3.dhe_rsa_aes_256_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, true }, + { "security.ssl3.dhe_rsa_camellia_256_sha", + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, true}, + + { "security.ssl3.dhe_rsa_aes_128_sha", + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, true }, + { "security.ssl3.dhe_rsa_camellia_128_sha", + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, true }, { "security.ssl3.ecdhe_rsa_rc4_128_sha", - TLS_ECDHE_RSA_WITH_RC4_128_SHA, true, true }, // deprecated (RC4) + TLS_ECDHE_RSA_WITH_RC4_128_SHA, false, true }, // deprecated (RC4) { "security.ssl3.ecdhe_ecdsa_rc4_128_sha", - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, true, true }, // deprecated (RC4) + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, false, true }, // deprecated (RC4) { "security.ssl3.rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, true }, // deprecated (RSA key exchange) @@ -667,9 +677,9 @@ static const CipherPref sCipherPrefs[] = { TLS_RSA_WITH_3DES_EDE_CBC_SHA, true }, // deprecated (RSA key exchange, 3DES) { "security.ssl3.rsa_rc4_128_sha", - TLS_RSA_WITH_RC4_128_SHA, true, true }, // deprecated (RSA key exchange, RC4) + TLS_RSA_WITH_RC4_128_SHA, false, true }, // deprecated (RSA key exchange, RC4) { "security.ssl3.rsa_rc4_128_md5", - TLS_RSA_WITH_RC4_128_MD5, true, true }, // deprecated (RSA key exchange, RC4, HMAC-MD5) + TLS_RSA_WITH_RC4_128_MD5, false, true }, // deprecated (RSA key exchange, RC4, HMAC-MD5) // All the rest are disabled by default