2012-05-21 15:12:37 +04:00
|
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
|
2014-10-15 04:17:35 +04:00
|
|
|
pref("security.tls.version.min", 1);
|
2016-11-04 06:46:02 +03:00
|
|
|
pref("security.tls.version.max", 4);
|
2014-12-09 01:19:04 +03:00
|
|
|
pref("security.tls.version.fallback-limit", 3);
|
2015-02-07 07:03:23 +03:00
|
|
|
pref("security.tls.insecure_fallback_hosts", "");
|
2016-08-19 12:01:00 +03:00
|
|
|
pref("security.tls.enable_0rtt_data", false);
|
2015-09-03 15:50:52 +03:00
|
|
|
|
2010-02-07 15:09:51 +03:00
|
|
|
pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
|
|
|
|
pref("security.ssl.require_safe_negotiation", false);
|
2013-06-18 03:45:49 +04:00
|
|
|
pref("security.ssl.enable_ocsp_stapling", true);
|
2013-11-21 01:49:33 +04:00
|
|
|
pref("security.ssl.enable_false_start", true);
|
2014-08-08 02:53:09 +04:00
|
|
|
pref("security.ssl.enable_alpn", true);
|
2010-02-07 15:09:51 +03:00
|
|
|
|
2013-12-04 08:00:37 +04:00
|
|
|
pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true);
|
|
|
|
pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true);
|
2016-02-26 14:37:19 +03:00
|
|
|
pref("security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256", true);
|
|
|
|
pref("security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256", true);
|
2016-06-04 02:19:29 +03:00
|
|
|
pref("security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384", true);
|
|
|
|
pref("security.ssl3.ecdhe_rsa_aes_256_gcm_sha384", true);
|
2013-12-04 08:00:37 +04:00
|
|
|
pref("security.ssl3.ecdhe_rsa_aes_128_sha", true);
|
|
|
|
pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", true);
|
|
|
|
pref("security.ssl3.ecdhe_rsa_aes_256_sha", true);
|
|
|
|
pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true);
|
|
|
|
pref("security.ssl3.dhe_rsa_aes_128_sha", true);
|
|
|
|
pref("security.ssl3.dhe_rsa_aes_256_sha", true);
|
|
|
|
pref("security.ssl3.rsa_aes_128_sha", true);
|
|
|
|
pref("security.ssl3.rsa_aes_256_sha", true);
|
2017-08-02 21:03:39 +03:00
|
|
|
// Deprecate 3DES on nightly builds, Bug 1386754
|
|
|
|
#ifdef RELEASE_OR_BETA
|
2013-12-04 08:00:37 +04:00
|
|
|
pref("security.ssl3.rsa_des_ede3_sha", true);
|
2017-08-02 21:03:39 +03:00
|
|
|
#else
|
|
|
|
pref("security.ssl3.rsa_des_ede3_sha", false);
|
|
|
|
#endif
|
2013-12-04 08:00:37 +04:00
|
|
|
|
2016-04-15 14:04:14 +03:00
|
|
|
pref("security.content.signature.root_hash",
|
|
|
|
"97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E");
|
|
|
|
|
2008-03-07 13:52:21 +03:00
|
|
|
pref("security.default_personal_cert", "Ask Every Time");
|
2009-05-21 02:21:51 +04:00
|
|
|
pref("security.remember_cert_checkbox_default_setting", true);
|
2000-09-22 08:42:20 +04:00
|
|
|
pref("security.ask_for_password", 0);
|
|
|
|
pref("security.password_lifetime", 30);
|
2001-02-21 23:38:08 +03:00
|
|
|
|
2016-06-29 00:18:26 +03:00
|
|
|
// The supported values of this pref are:
|
|
|
|
// 0: disable detecting Family Safety mode and importing the root
|
|
|
|
// 1: only attempt to detect Family Safety mode (don't import the root)
|
|
|
|
// 2: detect Family Safety mode and import the root
|
|
|
|
// (This is only relevant to Windows 8.1)
|
|
|
|
pref("security.family_safety.mode", 2);
|
|
|
|
|
2016-11-16 00:52:26 +03:00
|
|
|
pref("security.enterprise_roots.enabled", false);
|
|
|
|
|
2017-05-24 03:07:51 +03:00
|
|
|
// The supported values of this pref are:
|
|
|
|
// 0: do not fetch OCSP
|
|
|
|
// 1: fetch OCSP for DV and EV certificates
|
|
|
|
// 2: fetch OCSP only for EV certificates
|
2007-06-05 23:27:42 +04:00
|
|
|
pref("security.OCSP.enabled", 1);
|
2007-05-31 03:13:28 +04:00
|
|
|
pref("security.OCSP.require", false);
|
2013-10-25 01:32:09 +04:00
|
|
|
pref("security.OCSP.GET.enabled", false);
|
2017-05-02 03:05:31 +03:00
|
|
|
#ifdef RELEASE_OR_BETA
|
2017-04-01 01:21:40 +03:00
|
|
|
pref("security.OCSP.timeoutMilliseconds.soft", 2000);
|
2017-05-02 03:05:31 +03:00
|
|
|
#else
|
|
|
|
pref("security.OCSP.timeoutMilliseconds.soft", 1000);
|
|
|
|
#endif
|
2017-04-01 01:21:40 +03:00
|
|
|
pref("security.OCSP.timeoutMilliseconds.hard", 10000);
|
2014-10-30 14:52:00 +03:00
|
|
|
|
2015-12-01 01:05:07 +03:00
|
|
|
pref("security.pki.cert_short_lifetime_in_days", 10);
|
2016-03-28 22:52:40 +03:00
|
|
|
// NB: Changes to this pref affect CERT_CHAIN_SHA1_POLICY_STATUS telemetry.
|
|
|
|
// See the comment in CertVerifier.cpp.
|
2017-01-11 01:48:30 +03:00
|
|
|
// 3 = only allow SHA-1 for certificates issued by an imported root.
|
|
|
|
pref("security.pki.sha1_enforcement_level", 3);
|
2015-12-01 01:05:07 +03:00
|
|
|
|
2016-02-09 21:14:27 +03:00
|
|
|
// security.pki.name_matching_mode controls how the platform matches hostnames
|
|
|
|
// to name information in TLS certificates. The possible values are:
|
|
|
|
// 0: always fall back to the subject common name if necessary (as in, if the
|
|
|
|
// subject alternative name extension is either not present or does not
|
|
|
|
// contain any DNS names or IP addresses)
|
|
|
|
// 1: fall back to the subject common name for certificates valid before 23
|
|
|
|
// August 2016 if necessary
|
2016-04-26 01:55:18 +03:00
|
|
|
// 2: fall back to the subject common name for certificates valid before 23
|
|
|
|
// August 2015 if necessary
|
|
|
|
// 3: only use name information from the subject alternative name extension
|
2016-10-08 12:14:49 +03:00
|
|
|
#ifdef RELEASE_OR_BETA
|
2016-02-09 21:14:27 +03:00
|
|
|
pref("security.pki.name_matching_mode", 1);
|
|
|
|
#else
|
|
|
|
pref("security.pki.name_matching_mode", 2);
|
|
|
|
#endif
|
|
|
|
|
2016-05-06 02:11:11 +03:00
|
|
|
// security.pki.netscape_step_up_policy controls how the platform handles the
|
|
|
|
// id-Netscape-stepUp OID in extended key usage extensions of CA certificates.
|
|
|
|
// 0: id-Netscape-stepUp is always considered equivalent to id-kp-serverAuth
|
|
|
|
// 1: it is considered equivalent when the notBefore is before 23 August 2016
|
|
|
|
// 2: similarly, but for 23 August 2015
|
|
|
|
// 3: it is never considered equivalent
|
2016-10-08 12:14:49 +03:00
|
|
|
#ifdef RELEASE_OR_BETA
|
2016-05-06 02:11:11 +03:00
|
|
|
pref("security.pki.netscape_step_up_policy", 1);
|
|
|
|
#else
|
|
|
|
pref("security.pki.netscape_step_up_policy", 2);
|
|
|
|
#endif
|
|
|
|
|
2016-08-11 13:41:50 +03:00
|
|
|
// Configures Certificate Transparency support mode:
|
|
|
|
// 0: Fully disabled.
|
|
|
|
// 1: Only collect telemetry. CT qualification checks are not performed.
|
2017-04-12 20:13:29 +03:00
|
|
|
pref("security.pki.certificate_transparency.mode", 0);
|
2016-08-11 13:41:50 +03:00
|
|
|
|
2016-02-09 18:43:00 +03:00
|
|
|
pref("security.webauth.u2f", false);
|
2017-01-12 01:09:03 +03:00
|
|
|
pref("security.webauth.webauthn", false);
|
|
|
|
pref("security.webauth.webauthn_enable_softtoken", false);
|
|
|
|
pref("security.webauth.webauthn_enable_usbtoken", false);
|
2016-02-09 18:43:00 +03:00
|
|
|
|
2014-10-30 14:52:00 +03:00
|
|
|
pref("security.ssl.errorReporting.enabled", true);
|
2016-06-14 17:56:41 +03:00
|
|
|
pref("security.ssl.errorReporting.url", "https://incoming.telemetry.mozilla.org/submit/sslreports/");
|
2014-10-30 14:52:00 +03:00
|
|
|
pref("security.ssl.errorReporting.automatic", false);
|
2016-07-07 02:16:29 +03:00
|
|
|
|
|
|
|
// Impose a maximum age on HPKP headers, to avoid sites getting permanently
|
|
|
|
// blacking themselves out by setting a bad pin. (60 days by default)
|
|
|
|
// https://tools.ietf.org/html/rfc7469#section-4.1
|
|
|
|
pref("security.cert_pinning.max_max_age_seconds", 5184000);
|
Bug 1246540 - HSTS Priming Proof of Concept. r=ckerschb, r=mayhemer, r=jld, r=smaug, r=dkeeler, r=jmaher, p=ally
HSTS priming changes the order of mixed-content blocking and HSTS
upgrades, and adds a priming request to check if a mixed-content load is
accesible over HTTPS and the server supports upgrading via the
Strict-Transport-Security header.
Every call site that uses AsyncOpen2 passes through the mixed-content
blocker, and has a LoadInfo. If the mixed-content blocker marks the load as
needing HSTS priming, nsHttpChannel will build and send an HSTS priming
request on the same URI with the scheme upgraded to HTTPS. If the server
allows the upgrade, then channel performs an internal redirect to the HTTPS URI,
otherwise use the result of mixed-content blocker to allow or block the
load.
nsISiteSecurityService adds an optional boolean out parameter to
determine if the HSTS state is already cached for negative assertions.
If the host has been probed within the previous 24 hours, no HSTS
priming check will be sent.
MozReview-Commit-ID: ES1JruCtDdX
--HG--
extra : rebase_source : 2ac6c93c49f2862fc0b9e595eb0598cd1ea4bedf
2016-09-27 18:27:00 +03:00
|
|
|
|
2017-01-30 22:28:51 +03:00
|
|
|
// HSTS Priming
|
Bug 1246540 - HSTS Priming Proof of Concept. r=ckerschb, r=mayhemer, r=jld, r=smaug, r=dkeeler, r=jmaher, p=ally
HSTS priming changes the order of mixed-content blocking and HSTS
upgrades, and adds a priming request to check if a mixed-content load is
accesible over HTTPS and the server supports upgrading via the
Strict-Transport-Security header.
Every call site that uses AsyncOpen2 passes through the mixed-content
blocker, and has a LoadInfo. If the mixed-content blocker marks the load as
needing HSTS priming, nsHttpChannel will build and send an HSTS priming
request on the same URI with the scheme upgraded to HTTPS. If the server
allows the upgrade, then channel performs an internal redirect to the HTTPS URI,
otherwise use the result of mixed-content blocker to allow or block the
load.
nsISiteSecurityService adds an optional boolean out parameter to
determine if the HSTS state is already cached for negative assertions.
If the host has been probed within the previous 24 hours, no HSTS
priming check will be sent.
MozReview-Commit-ID: ES1JruCtDdX
--HG--
extra : rebase_source : 2ac6c93c49f2862fc0b9e595eb0598cd1ea4bedf
2016-09-27 18:27:00 +03:00
|
|
|
// If a request is mixed-content, send an HSTS priming request to attempt to
|
|
|
|
// see if it is available over HTTPS.
|
2017-01-30 22:28:51 +03:00
|
|
|
// Don't change the order of evaluation of mixed-content and HSTS upgrades in
|
2017-07-27 18:51:00 +03:00
|
|
|
// order to be most compatible with current standards in Release
|
2017-01-30 22:28:51 +03:00
|
|
|
pref("security.mixed_content.send_hsts_priming", false);
|
Bug 1246540 - HSTS Priming Proof of Concept. r=ckerschb, r=mayhemer, r=jld, r=smaug, r=dkeeler, r=jmaher, p=ally
HSTS priming changes the order of mixed-content blocking and HSTS
upgrades, and adds a priming request to check if a mixed-content load is
accesible over HTTPS and the server supports upgrading via the
Strict-Transport-Security header.
Every call site that uses AsyncOpen2 passes through the mixed-content
blocker, and has a LoadInfo. If the mixed-content blocker marks the load as
needing HSTS priming, nsHttpChannel will build and send an HSTS priming
request on the same URI with the scheme upgraded to HTTPS. If the server
allows the upgrade, then channel performs an internal redirect to the HTTPS URI,
otherwise use the result of mixed-content blocker to allow or block the
load.
nsISiteSecurityService adds an optional boolean out parameter to
determine if the HSTS state is already cached for negative assertions.
If the host has been probed within the previous 24 hours, no HSTS
priming check will be sent.
MozReview-Commit-ID: ES1JruCtDdX
--HG--
extra : rebase_source : 2ac6c93c49f2862fc0b9e595eb0598cd1ea4bedf
2016-09-27 18:27:00 +03:00
|
|
|
pref("security.mixed_content.use_hsts", false);
|
2017-07-27 18:51:00 +03:00
|
|
|
#ifdef EARLY_BETA_OR_EARLIER
|
Bug 1246540 - HSTS Priming Proof of Concept. r=ckerschb, r=mayhemer, r=jld, r=smaug, r=dkeeler, r=jmaher, p=ally
HSTS priming changes the order of mixed-content blocking and HSTS
upgrades, and adds a priming request to check if a mixed-content load is
accesible over HTTPS and the server supports upgrading via the
Strict-Transport-Security header.
Every call site that uses AsyncOpen2 passes through the mixed-content
blocker, and has a LoadInfo. If the mixed-content blocker marks the load as
needing HSTS priming, nsHttpChannel will build and send an HSTS priming
request on the same URI with the scheme upgraded to HTTPS. If the server
allows the upgrade, then channel performs an internal redirect to the HTTPS URI,
otherwise use the result of mixed-content blocker to allow or block the
load.
nsISiteSecurityService adds an optional boolean out parameter to
determine if the HSTS state is already cached for negative assertions.
If the host has been probed within the previous 24 hours, no HSTS
priming check will be sent.
MozReview-Commit-ID: ES1JruCtDdX
--HG--
extra : rebase_source : 2ac6c93c49f2862fc0b9e595eb0598cd1ea4bedf
2016-09-27 18:27:00 +03:00
|
|
|
// Change the order of evaluation so HSTS upgrades happen before
|
|
|
|
// mixed-content blocking
|
2017-01-30 22:28:51 +03:00
|
|
|
pref("security.mixed_content.send_hsts_priming", true);
|
Bug 1246540 - HSTS Priming Proof of Concept. r=ckerschb, r=mayhemer, r=jld, r=smaug, r=dkeeler, r=jmaher, p=ally
HSTS priming changes the order of mixed-content blocking and HSTS
upgrades, and adds a priming request to check if a mixed-content load is
accesible over HTTPS and the server supports upgrading via the
Strict-Transport-Security header.
Every call site that uses AsyncOpen2 passes through the mixed-content
blocker, and has a LoadInfo. If the mixed-content blocker marks the load as
needing HSTS priming, nsHttpChannel will build and send an HSTS priming
request on the same URI with the scheme upgraded to HTTPS. If the server
allows the upgrade, then channel performs an internal redirect to the HTTPS URI,
otherwise use the result of mixed-content blocker to allow or block the
load.
nsISiteSecurityService adds an optional boolean out parameter to
determine if the HSTS state is already cached for negative assertions.
If the host has been probed within the previous 24 hours, no HSTS
priming check will be sent.
MozReview-Commit-ID: ES1JruCtDdX
--HG--
extra : rebase_source : 2ac6c93c49f2862fc0b9e595eb0598cd1ea4bedf
2016-09-27 18:27:00 +03:00
|
|
|
pref("security.mixed_content.use_hsts", true);
|
|
|
|
#endif
|
2017-01-30 22:28:51 +03:00
|
|
|
// Approximately 1 week default cache for HSTS priming failures, in seconds
|
2017-02-16 04:48:59 +03:00
|
|
|
pref ("security.mixed_content.hsts_priming_cache_timeout", 604800);
|
2017-06-20 00:35:27 +03:00
|
|
|
// Force the channel to timeout in 2 seconds if we have not received
|
2017-01-30 22:28:51 +03:00
|
|
|
// expects a time in milliseconds
|
2017-06-20 00:35:27 +03:00
|
|
|
pref ("security.mixed_content.hsts_priming_request_timeout", 2000);
|