ef825bd0c8
Security - added support for TLS 1.3 (the next part)
2018-07-25 07:11:32 +08:00
b8198c3a89
Security - added support for TLS 1.3
2018-07-25 07:11:26 +08:00
dce17a6724
Remove preloading of domain PKPins Part 2
...
- Remove security.cert_pinning.process_headers_from_non_builtin_roots
Tag #925
2018-07-25 07:11:08 +08:00
972b14bd7b
Remove preloading of domain PKPins Part 1
...
- Remove static lists
- Remove tools to generate static lists
- Remove no longer used structs
Tag #925
2018-07-25 07:11:06 +08:00
d39cf1f468
Upgrade NSS to 3.28.4-RTM
2018-07-25 07:05:57 +08:00
a3187e5712
Update HSTS preload list
...
Tag #62 .
2018-07-25 07:05:27 +08:00
f543949da5
Remove duplicate callback case statements.
2018-07-25 06:59:05 +08:00
c9ad97a8f5
Add support for RSA+AES+SHA256/384 suites for web compatibility.
...
This adds the following suites for web compatibility despite the
deprecated RSA key exchange that makes little sense with a
very strong HMAC or GCM:
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
Only the 256-bit ones are enabled by default.
2018-07-25 06:58:58 +08:00
c9c81ca7c3
Restore missing RSA+Camellia suites.
2018-07-25 06:58:56 +08:00
b3a189d2de
Follow up to 7bd7e8a - *aState needs both STATE_IS_SECURE and STATE_SECURE_HIGH on re-eval of mixed content
2018-07-25 06:52:56 +08:00
3ca7947b8a
Reset mixed-mode page status to secure if no actual load has occurred through the mixed content blocker.
...
This should take care of injection of non-network URIs that aren't same origin (e.g. extension-sourced data: URIs) triggering mixed-mode warnings.
Assumption here is that data: URIs are safe if "local"; this is a security trade-off that should be acceptable.
2018-07-25 06:52:49 +08:00
3398a810ae
Update HSTS preload list.
...
Tag #62 .
2018-07-25 06:51:16 +08:00
f73e220d0b
Remove obsolete patches
2018-07-25 06:51:01 +08:00
e4f0d12b2c
Enable AES256-GCM for accessibility to overly-strict sites that do not offer ChaCha20.
2018-07-25 06:50:59 +08:00
348757ed67
Extend {EnabledWeakCiphers} bit field to allow more cipher suites.
2018-07-25 06:50:53 +08:00
36fc143339
Add AES256-GCM suites to secmanager.
...
Disabled by default for known wasted performance (40%) on a suite weaker to key attacks than AES128.
2018-07-25 06:50:51 +08:00
8df1603dfd
Enable ChaCha20-Poly1305 suites.
2018-07-25 06:50:49 +08:00
5546cc421e
Temporarily disable Camellia-GCM suites in secmanager.
2018-07-25 06:50:45 +08:00
0ea55177dc
Update NSS symbols
2018-07-25 06:50:43 +08:00
b9ad123d0b
Misc file updates (non-code)
2018-07-25 06:50:39 +08:00
b2b68e070d
Base import of NSS-3.28.3-RTM
2018-07-25 06:50:13 +08:00
1c97ea532c
Update NSS to 3.19.5.1-PM
2018-07-25 06:47:30 +08:00
572a49f9b6
Provide better file name suggestions when exporting certs.
2018-07-25 06:43:51 +08:00
17da3b2364
Update HSTS Preload list
2018-07-25 06:42:57 +08:00
9739829d2d
Don't write HSTS site state to file if HSTS has been user-disabled.
...
This also adds a missing pref observer.
Follow-up to 9bc65e235b62c4e84c69f301bd89de29769f4abf.
2018-07-25 06:36:48 +08:00
8bd908fa4b
Reinstate network.stricttransportsecurity.enabled HSTS switch.
...
Defaults to enabled (HSTS on) but can be flipped to disable the use of the HSTS mechanism, trading security for privacy.
This resolves #830 .
2018-07-25 06:36:25 +08:00
e035fc775e
Update HSTS preload list
2018-07-25 06:22:07 +08:00
1ab1dc37b6
Update HSTS preload list
2018-07-25 01:30:01 +08:00
e3a0bb8614
Update in-tree NSS to 3.19.5-PM
2018-07-25 01:29:31 +08:00
4b96ad2190
HSTS preload list update.
...
Tag #62 .
2018-07-25 01:18:04 +08:00
b142256756
Update list of known CA root hashes
2018-07-25 01:05:11 +08:00
131363dc30
Fix SSL status ambiguity.
...
- Adds CipherSuite string with the full suite
- Changes CipherName to be the actual cipher name instead of the (erroneous) full suite like Firefox does.
This is a reimplementation of 811ce3ff4939b7ece26ad5f99878fc58b92edf7c for Tycho.
2018-07-25 00:55:11 +08:00
d07f653690
Remove FF references in getHSTSPreloadList.js
2018-07-24 23:39:50 +08:00
afa5e10326
Update HSTS Preload List
2018-07-24 23:39:44 +08:00
9cf238a980
Disable unnecessary debug crash breakpoint for not finding a cert.
2018-07-24 23:38:47 +08:00
611db28b83
Avoid a potential data race condition in sha_fast.c:SHA1_End.
2018-07-24 23:31:21 +08:00
903fddcff7
Remove conditional crashreporter code
2018-07-24 23:13:57 +08:00
2f6b96ce9a
Set execute attributes on all .sh files in tree
2018-07-24 23:12:12 +08:00
edcc56de80
Hook up less common cipher suites + move RC4 to disabled section.
2018-07-24 23:11:55 +08:00
f1ad132236
Update TLS intolerant fallback handling:
...
- Disable false starts
- Disable fallback to RC4
- Update whitelist that should override the default for insecure fallbacks
2018-07-24 23:11:55 +08:00
e52817d90a
Security: Hook up Camellia ciphers, disable RC4.
2018-07-24 23:11:54 +08:00
e77132d277
Update NSS to 3.19.4.2-PM
2018-07-24 23:11:53 +08:00
79c32902a4
Remove anonymous namespace around pkix gtests
...
This avoids fatal -Wunused-variable warnings with GCC 5
2018-07-24 23:11:40 +08:00
2cb96863fd
Stop enforcing archaic backwards HW compatibility
2018-07-24 23:11:19 +08:00
53761b6336
Prep tree for forward-porting Goanna: stage 2
2018-07-24 23:11:02 +08:00
5ee6187aad
Prep tree for forward-porting Goanna, stage 1
2018-07-24 23:10:50 +08:00
109795613c
Bug 1254986, Upgrade Firefox 38.8 ESR to NSS 3.19.2.4, a=rkothari
2018-07-24 23:10:30 +08:00
baf46a6bf1
Merge pull request #1 from mozilla/esr38: Esr38 upstream pull
2018-07-24 23:04:07 +08:00
janekptacijarabaci
Pale Moon
trav90
NTD
wolfbeast
Kai Engert
Moonchild