summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2017-07-20 14:19:54 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-02-02 19:06:52 +0100
commit34e23129f401487e53240f6bb74147104bbfced5 (patch)
tree365980f925070ec3e3c7310c03ee6e1dfcb6510a /security
parentc0ffa0fe9889f28502aa1dc0f7293425ac6278ba (diff)
downloaduxp-34e23129f401487e53240f6bb74147104bbfced5.tar.gz
Disable 3DES cipher by default + re-order a few things.
Issue mcp-graveyard/UXP#4 point 4
Diffstat (limited to 'security')
-rw-r--r--security/manager/ssl/nsNSSComponent.cpp15
1 files changed, 9 insertions, 6 deletions
diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp
index 89b33b7c22..1bcdcc1b02 100644
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -1344,9 +1344,6 @@ static const CipherPref sCipherPrefs[] = {
{ "security.ssl3.ecdhe_ecdsa_aes_256_sha",
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, true },
- { "security.ssl3.dhe_rsa_aes_128_sha",
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA, true },
-
{ "security.ssl3.dhe_rsa_camellia_256_sha",
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, true},
{ "security.ssl3.dhe_rsa_aes_256_sha",
@@ -1354,6 +1351,9 @@ static const CipherPref sCipherPrefs[] = {
{ "security.ssl3.dhe_rsa_camellia_128_sha",
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, true },
+ { "security.ssl3.dhe_rsa_aes_128_sha",
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, true },
+
{ "security.tls13.aes_128_gcm_sha256",
TLS_AES_128_GCM_SHA256, true },
{ "security.tls13.chacha20_poly1305_sha256",
@@ -1361,6 +1361,7 @@ static const CipherPref sCipherPrefs[] = {
{ "security.tls13.aes_256_gcm_sha384",
TLS_AES_256_GCM_SHA384, true },
+ // Deprecated (RSA key exchange):
{ "security.ssl3.rsa_aes_256_gcm_sha384",
TLS_RSA_WITH_AES_256_GCM_SHA384, true },
{ "security.ssl3.rsa_aes_256_sha256",
@@ -1370,15 +1371,17 @@ static const CipherPref sCipherPrefs[] = {
{"security.ssl3.rsa_camellia_256_sha",
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, true },
{ "security.ssl3.rsa_aes_128_sha",
- TLS_RSA_WITH_AES_128_CBC_SHA, true }, // deprecated (RSA key exchange)
+ TLS_RSA_WITH_AES_128_CBC_SHA, true },
{ "security.ssl3.rsa_aes_256_sha",
- TLS_RSA_WITH_AES_256_CBC_SHA, true }, // deprecated (RSA key exchange)
+ TLS_RSA_WITH_AES_256_CBC_SHA, true },
+
+// Expensive/deprecated/weak
{ "security.ssl3.rsa_aes_128_gcm_sha256",
TLS_RSA_WITH_AES_128_GCM_SHA256, false }, // Deprecated
{ "security.ssl3.rsa_aes_128_sha256",
TLS_RSA_WITH_AES_128_CBC_SHA256, false }, // Deprecated
{ "security.ssl3.rsa_des_ede3_sha",
- TLS_RSA_WITH_3DES_EDE_CBC_SHA, true }, // deprecated (RSA key exchange, 3DES)
+ TLS_RSA_WITH_3DES_EDE_CBC_SHA, false }, // Weak (3DES)
// All the rest are disabled