bug 1487517 - un-do ciphersuite hiding from bug 1279479 and bug 1316300 r=mt

In bug 1279479 and bug 1316300 we hid some ciphersuites from TLS 1.3
handshakes, assuming we would fall back to TLS 1.2 if the peer needed them.
However, as of bug 1479501, we don't fall back by default, so this just means
we can't negotiate these ciphersuites. This patch un-hides these ciphersuites
from the TLS 1.3 handshake.

Differential Revision: https://phabricator.services.mozilla.com/D4725

--HG--
extra : moz-landing-system : lando
This commit is contained in:
Dana Keeler 2018-08-31 00:18:36 +00:00
Родитель 1b4d75245a
Коммит 1d12fc8a92
2 изменённых файлов: 0 добавлений и 11 удалений

Просмотреть файл

@ -63,10 +63,6 @@ public:
static nsresult GetNewPrompter(nsIPrompt** result); static nsresult GetNewPrompter(nsIPrompt** result);
// The following two methods are thread-safe.
static bool AreAnyWeakCiphersEnabled();
static void UseWeakCiphersOnSocket(PRFileDesc* fd);
static void FillTLSVersionRange(SSLVersionRange& rangeOut, static void FillTLSVersionRange(SSLVersionRange& rangeOut,
uint32_t minFromPrefs, uint32_t minFromPrefs,
uint32_t maxFromPrefs, uint32_t maxFromPrefs,

Просмотреть файл

@ -2577,13 +2577,6 @@ nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS,
} }
} }
if (range.max > SSL_LIBRARY_VERSION_TLS_1_2) {
SSL_CipherPrefSet(fd, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, false);
SSL_CipherPrefSet(fd, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, false);
SSL_CipherPrefSet(fd, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, false);
SSL_CipherPrefSet(fd, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, false);
}
// Include a modest set of named groups. // Include a modest set of named groups.
// Please change getKeaGroupName in nsNSSCallbacks.cpp when changing the list // Please change getKeaGroupName in nsNSSCallbacks.cpp when changing the list
// here. // here.