Bug 1168635 - Extend nsITLSServerSocket to customize cipher suites. r=keeler

netwerk/base/TLSServerSocket.cpp

@@ -222,6 +222,31 @@ TLSServerSocket::SetRequestClientCertificate(uint32_t aMode)
   return NS_OK;
 }
 
+NS_IMETHODIMP
+TLSServerSocket::SetCipherSuites(uint16_t* aCipherSuites, uint32_t aLength)
+{
+  // If AsyncListen was already called (and set mListener), it's too late to set
+  // this.
+  if (NS_WARN_IF(mListener)) {
+    return NS_ERROR_IN_PROGRESS;
+  }
+
+  for (uint16_t i = 0; i < SSL_NumImplementedCiphers; ++i) {
+    uint16_t cipher_id = SSL_ImplementedCiphers[i];
+    if (SSL_CipherPrefSet(mFD, cipher_id, false) != SECSuccess) {
+      return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
+    }
+  }
+
+  for (uint32_t i = 0; i < aLength; ++i) {
+    if (SSL_CipherPrefSet(mFD, aCipherSuites[i], true) != SECSuccess) {
+      return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
+    }
+  }
+
+  return NS_OK;
+}
+
 //-----------------------------------------------------------------------------
 // TLSServerConnectionInfo
 //-----------------------------------------------------------------------------

netwerk/base/nsITLSServerSocket.idl

@@ -8,7 +8,7 @@ interface nsIX509Cert;
 interface nsITLSServerSecurityObserver;
 interface nsISocketTransport;
 
-[scriptable, uuid(2e025b6c-96ba-4781-85fb-d1cf1a653207)]
+[scriptable, uuid(cc2c30f9-cfaa-4b8a-bd44-c24881981b74)]
 interface nsITLSServerSocket : nsIServerSocket
 {
   /**
@@ -60,6 +60,15 @@ interface nsITLSServerSocket : nsIServerSocket
    * change the default.
    */
   void setRequestClientCertificate(in unsigned long aRequestClientCert);
+
+  /**
+   * setCipherSuites
+   *
+   * The server's cipher suites that is used by the TLS handshake.
+   * This is required to be set before calling |asyncListen|.
+   */
+  void setCipherSuites([array, size_is(aLength)] in unsigned short aCipherSuites,
+                       in unsigned long aLength);
 };
 
 /**