diff --git a/config/external/nss/nss.symbols b/config/external/nss/nss.symbols index a69c748654db..46254f46fdc9 100644 --- a/config/external/nss/nss.symbols +++ b/config/external/nss/nss.symbols @@ -673,6 +673,7 @@ SSL_HandshakeCallback SSL_HandshakeNegotiatedExtension SSL_ImplementedCiphers @DATA@ SSL_ImportFD +SSL_NamedGroupConfig SSL_NumImplementedCiphers @DATA@ SSL_OptionSet SSL_OptionSetDefault diff --git a/media/mtransport/transportlayerdtls.cpp b/media/mtransport/transportlayerdtls.cpp index 3427cbf1b521..4fc6593276b7 100644 --- a/media/mtransport/transportlayerdtls.cpp +++ b/media/mtransport/transportlayerdtls.cpp @@ -453,6 +453,15 @@ TransportLayerDtls::SetVerificationDigest(const std::string digest_algorithm, return NS_OK; } +// These are the named groups that we will allow. +static const SSLNamedGroup NamedGroupPreferences[] = { + ssl_grp_ec_curve25519, + ssl_grp_ec_secp256r1, + ssl_grp_ec_secp384r1, + ssl_grp_ffdhe_2048, + ssl_grp_ffdhe_3072 +}; + // TODO: make sure this is called from STS. Otherwise // we have thread safety issues bool TransportLayerDtls::Setup() { @@ -587,6 +596,13 @@ bool TransportLayerDtls::Setup() { return false; } + rv = SSL_NamedGroupConfig(ssl_fd, NamedGroupPreferences, + mozilla::ArrayLength(NamedGroupPreferences)); + if (rv != SECSuccess) { + MOZ_MTLOG(ML_ERROR, "Couldn't set named groups"); + return false; + } + // Certificate validation rv = SSL_AuthCertificateHook(ssl_fd, AuthCertificateHook, reinterpret_cast(this)); @@ -691,6 +707,7 @@ static const uint32_t DisabledCiphers[] = { TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, @@ -698,27 +715,18 @@ static const uint32_t DisabledCiphers[] = { TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_RSA_WITH_SEED_CBC_SHA, - SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, TLS_DHE_RSA_WITH_DES_CBC_SHA, TLS_DHE_DSS_WITH_DES_CBC_SHA, - SSL_RSA_FIPS_WITH_DES_CBC_SHA, TLS_RSA_WITH_DES_CBC_SHA, - TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, - TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, - - TLS_RSA_EXPORT_WITH_RC4_40_MD5, - TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, - TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, - TLS_RSA_WITH_NULL_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_RSA_WITH_NULL_MD5,