2012-05-21 15:12:37 +04:00
|
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
|
2014-10-15 04:17:35 +04:00
|
|
|
pref("security.tls.version.min", 1);
|
2016-11-04 06:46:02 +03:00
|
|
|
pref("security.tls.version.max", 4);
|
2018-08-10 05:10:35 +03:00
|
|
|
pref("security.tls.version.fallback-limit", 4);
|
2015-02-07 07:03:23 +03:00
|
|
|
pref("security.tls.insecure_fallback_hosts", "");
|
2016-08-19 12:01:00 +03:00
|
|
|
pref("security.tls.enable_0rtt_data", false);
|
2018-09-11 21:01:50 +03:00
|
|
|
#ifdef RELEASE_OR_BETA
|
|
|
|
pref("security.tls.hello_downgrade_check", false);
|
|
|
|
#else
|
|
|
|
pref("security.tls.hello_downgrade_check", true);
|
|
|
|
#endif
|
2015-09-03 15:50:52 +03:00
|
|
|
|
2010-02-07 15:09:51 +03:00
|
|
|
pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
|
|
|
|
pref("security.ssl.require_safe_negotiation", false);
|
2013-06-18 03:45:49 +04:00
|
|
|
pref("security.ssl.enable_ocsp_stapling", true);
|
2013-11-21 01:49:33 +04:00
|
|
|
pref("security.ssl.enable_false_start", true);
|
2014-08-08 02:53:09 +04:00
|
|
|
pref("security.ssl.enable_alpn", true);
|
2010-02-07 15:09:51 +03:00
|
|
|
|
2013-12-04 08:00:37 +04:00
|
|
|
pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true);
|
|
|
|
pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true);
|
2016-02-26 14:37:19 +03:00
|
|
|
pref("security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256", true);
|
|
|
|
pref("security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256", true);
|
2016-06-04 02:19:29 +03:00
|
|
|
pref("security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384", true);
|
|
|
|
pref("security.ssl3.ecdhe_rsa_aes_256_gcm_sha384", true);
|
2013-12-04 08:00:37 +04:00
|
|
|
pref("security.ssl3.ecdhe_rsa_aes_128_sha", true);
|
|
|
|
pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", true);
|
|
|
|
pref("security.ssl3.ecdhe_rsa_aes_256_sha", true);
|
|
|
|
pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true);
|
|
|
|
pref("security.ssl3.dhe_rsa_aes_128_sha", true);
|
|
|
|
pref("security.ssl3.dhe_rsa_aes_256_sha", true);
|
|
|
|
pref("security.ssl3.rsa_aes_128_sha", true);
|
|
|
|
pref("security.ssl3.rsa_aes_256_sha", true);
|
|
|
|
pref("security.ssl3.rsa_des_ede3_sha", true);
|
|
|
|
|
2016-04-15 14:04:14 +03:00
|
|
|
pref("security.content.signature.root_hash",
|
|
|
|
"97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E");
|
|
|
|
|
2008-03-07 13:52:21 +03:00
|
|
|
pref("security.default_personal_cert", "Ask Every Time");
|
2009-05-21 02:21:51 +04:00
|
|
|
pref("security.remember_cert_checkbox_default_setting", true);
|
2000-09-22 08:42:20 +04:00
|
|
|
pref("security.ask_for_password", 0);
|
|
|
|
pref("security.password_lifetime", 30);
|
2001-02-21 23:38:08 +03:00
|
|
|
|
2016-06-29 00:18:26 +03:00
|
|
|
// The supported values of this pref are:
|
|
|
|
// 0: disable detecting Family Safety mode and importing the root
|
|
|
|
// 1: only attempt to detect Family Safety mode (don't import the root)
|
|
|
|
// 2: detect Family Safety mode and import the root
|
|
|
|
// (This is only relevant to Windows 8.1)
|
|
|
|
pref("security.family_safety.mode", 2);
|
|
|
|
|
2016-11-16 00:52:26 +03:00
|
|
|
pref("security.enterprise_roots.enabled", false);
|
|
|
|
|
2017-05-24 03:07:51 +03:00
|
|
|
// The supported values of this pref are:
|
|
|
|
// 0: do not fetch OCSP
|
|
|
|
// 1: fetch OCSP for DV and EV certificates
|
|
|
|
// 2: fetch OCSP only for EV certificates
|
2007-06-05 23:27:42 +04:00
|
|
|
pref("security.OCSP.enabled", 1);
|
2007-05-31 03:13:28 +04:00
|
|
|
pref("security.OCSP.require", false);
|
2017-05-02 03:05:31 +03:00
|
|
|
#ifdef RELEASE_OR_BETA
|
2017-04-01 01:21:40 +03:00
|
|
|
pref("security.OCSP.timeoutMilliseconds.soft", 2000);
|
2017-05-02 03:05:31 +03:00
|
|
|
#else
|
|
|
|
pref("security.OCSP.timeoutMilliseconds.soft", 1000);
|
|
|
|
#endif
|
2017-04-01 01:21:40 +03:00
|
|
|
pref("security.OCSP.timeoutMilliseconds.hard", 10000);
|
2014-10-30 14:52:00 +03:00
|
|
|
|
2015-12-01 01:05:07 +03:00
|
|
|
pref("security.pki.cert_short_lifetime_in_days", 10);
|
2016-03-28 22:52:40 +03:00
|
|
|
// NB: Changes to this pref affect CERT_CHAIN_SHA1_POLICY_STATUS telemetry.
|
|
|
|
// See the comment in CertVerifier.cpp.
|
2017-01-11 01:48:30 +03:00
|
|
|
// 3 = only allow SHA-1 for certificates issued by an imported root.
|
|
|
|
pref("security.pki.sha1_enforcement_level", 3);
|
2015-12-01 01:05:07 +03:00
|
|
|
|
2017-11-29 01:24:11 +03:00
|
|
|
// This preference controls what signature algorithms are accepted for signed
|
2018-01-08 13:46:51 +03:00
|
|
|
// apps (i.e. add-ons). The number is interpreted as a bit mask with the
|
|
|
|
// following semantic:
|
|
|
|
// The lowest order bit determines which PKCS#7 algorithms are accepted.
|
|
|
|
// xxx_0_: SHA-1 and/or SHA-256 PKCS#7 allowed
|
|
|
|
// xxx_1_: SHA-256 PKCS#7 allowed
|
|
|
|
// The next two bits determine whether COSE is required and PKCS#7 is allowed
|
|
|
|
// x_00_x: COSE disabled, ignore files, PKCS#7 must verify
|
|
|
|
// x_01_x: COSE is verified if present, PKCS#7 must verify
|
|
|
|
// x_10_x: COSE is required, PKCS#7 must verify if present
|
|
|
|
// x_11_x: COSE is required, PKCS#7 disabled (fail when present)
|
|
|
|
pref("security.signed_app_signatures.policy", 2);
|
2017-11-29 01:24:11 +03:00
|
|
|
|
2016-02-09 21:14:27 +03:00
|
|
|
// security.pki.name_matching_mode controls how the platform matches hostnames
|
|
|
|
// to name information in TLS certificates. The possible values are:
|
|
|
|
// 0: always fall back to the subject common name if necessary (as in, if the
|
|
|
|
// subject alternative name extension is either not present or does not
|
|
|
|
// contain any DNS names or IP addresses)
|
|
|
|
// 1: fall back to the subject common name for certificates valid before 23
|
|
|
|
// August 2016 if necessary
|
2016-04-26 01:55:18 +03:00
|
|
|
// 2: fall back to the subject common name for certificates valid before 23
|
|
|
|
// August 2015 if necessary
|
|
|
|
// 3: only use name information from the subject alternative name extension
|
2018-05-14 19:55:15 +03:00
|
|
|
pref("security.pki.name_matching_mode", 3);
|
2016-02-09 21:14:27 +03:00
|
|
|
|
2016-05-06 02:11:11 +03:00
|
|
|
// security.pki.netscape_step_up_policy controls how the platform handles the
|
|
|
|
// id-Netscape-stepUp OID in extended key usage extensions of CA certificates.
|
|
|
|
// 0: id-Netscape-stepUp is always considered equivalent to id-kp-serverAuth
|
|
|
|
// 1: it is considered equivalent when the notBefore is before 23 August 2016
|
|
|
|
// 2: similarly, but for 23 August 2015
|
|
|
|
// 3: it is never considered equivalent
|
2016-10-08 12:14:49 +03:00
|
|
|
#ifdef RELEASE_OR_BETA
|
2016-05-06 02:11:11 +03:00
|
|
|
pref("security.pki.netscape_step_up_policy", 1);
|
|
|
|
#else
|
|
|
|
pref("security.pki.netscape_step_up_policy", 2);
|
|
|
|
#endif
|
|
|
|
|
2016-08-11 13:41:50 +03:00
|
|
|
// Configures Certificate Transparency support mode:
|
|
|
|
// 0: Fully disabled.
|
|
|
|
// 1: Only collect telemetry. CT qualification checks are not performed.
|
2017-04-12 20:13:29 +03:00
|
|
|
pref("security.pki.certificate_transparency.mode", 0);
|
2016-08-11 13:41:50 +03:00
|
|
|
|
2017-09-14 20:51:20 +03:00
|
|
|
// Hardware Origin-bound Second Factor Support
|
2016-02-09 18:43:00 +03:00
|
|
|
pref("security.webauth.u2f", false);
|
2018-01-09 04:37:35 +03:00
|
|
|
pref("security.webauth.webauthn", true);
|
2017-09-14 20:51:20 +03:00
|
|
|
// Only one of "enable_softtoken" and "enable_usbtoken" can be true
|
|
|
|
// at a time.
|
2017-01-12 01:09:03 +03:00
|
|
|
pref("security.webauth.webauthn_enable_softtoken", false);
|
2017-09-14 20:51:20 +03:00
|
|
|
pref("security.webauth.webauthn_enable_usbtoken", true);
|
2016-02-09 18:43:00 +03:00
|
|
|
|
2014-10-30 14:52:00 +03:00
|
|
|
pref("security.ssl.errorReporting.enabled", true);
|
2016-06-14 17:56:41 +03:00
|
|
|
pref("security.ssl.errorReporting.url", "https://incoming.telemetry.mozilla.org/submit/sslreports/");
|
2014-10-30 14:52:00 +03:00
|
|
|
pref("security.ssl.errorReporting.automatic", false);
|
2016-07-07 02:16:29 +03:00
|
|
|
|
|
|
|
// Impose a maximum age on HPKP headers, to avoid sites getting permanently
|
|
|
|
// blacking themselves out by setting a bad pin. (60 days by default)
|
|
|
|
// https://tools.ietf.org/html/rfc7469#section-4.1
|
|
|
|
pref("security.cert_pinning.max_max_age_seconds", 5184000);
|
2018-02-28 02:04:51 +03:00
|
|
|
|
|
|
|
// security.pki.distrust_ca_policy controls what root program distrust policies
|
|
|
|
// are enforced at this time:
|
|
|
|
// 0: No distrust policies enforced
|
2018-08-13 17:59:47 +03:00
|
|
|
// 1: Symantec roots distrusted for certificates issued after cutoff
|
|
|
|
// 2: Symantec roots distrusted regardless of date
|
2018-02-28 02:04:51 +03:00
|
|
|
// See https://wiki.mozilla.org/CA/Upcoming_Distrust_Actions for more details.
|
2018-08-13 17:59:47 +03:00
|
|
|
pref("security.pki.distrust_ca_policy", 2);
|
2018-03-16 13:36:50 +03:00
|
|
|
|
|
|
|
// Issuer we use to detect MitM proxies. Set to the issuer of the cert of the
|
|
|
|
// Firefox update service. The string format is whatever NSS uses to print a DN.
|
|
|
|
// This value is set and cleared automatically.
|
|
|
|
pref("security.pki.mitm_canary_issuer", "");
|
|
|
|
// Pref to disable the MitM proxy checks.
|
|
|
|
pref("security.pki.mitm_canary_issuer.enabled", true);
|
2018-08-18 01:12:17 +03:00
|
|
|
|
|
|
|
// It is set to true when a non-built-in root certificate is detected on a
|
|
|
|
// Firefox update service's connection.
|
|
|
|
// This value is set automatically.
|
|
|
|
// The difference between security.pki.mitm_canary_issuer and this pref is that
|
|
|
|
// here the root is trusted but not a built-in, whereas for
|
|
|
|
// security.pki.mitm_canary_issuer.enabled, the root is not trusted.
|
|
|
|
pref("security.pki.mitm_detected", false);
|