зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1579285 - Add pref to override minimum TLS version r=keeler
The intent of adding this pref is to allow us to change defaults for security.tls.version.min for a progressive rollout of a TLS 1.0 and 1.1 deprecation. During that process, we'd like to offer the option to enable these old TLS versions, without adding a pref override that would cause those versions to remain enabled once we finish the rollout. Those people who have triggered the override will be able to access TLS 1.0 and 1.1 sites until we eventually remove the code that respects this pref. What is likely to happen is that this pref will remain in code past the end of our rollout for part of a release cycle, plus maybe the next cycle depending on how timing works out. This pref is a simple boolean that we'll remove in March 2020. Differential Revision: https://phabricator.services.mozilla.com/D45798 --HG-- extra : moz-landing-system : lando
This commit is contained in:
Родитель
506fbc6493
Коммит
a7ed72cb2e
|
@ -25,6 +25,7 @@
|
||||||
pref("security.tls.version.min", 3);
|
pref("security.tls.version.min", 3);
|
||||||
#endif
|
#endif
|
||||||
pref("security.tls.version.max", 4);
|
pref("security.tls.version.max", 4);
|
||||||
|
pref("security.tls.version.enable-deprecated", false);
|
||||||
pref("security.tls.version.fallback-limit", 4);
|
pref("security.tls.version.fallback-limit", 4);
|
||||||
pref("security.tls.insecure_fallback_hosts", "");
|
pref("security.tls.insecure_fallback_hosts", "");
|
||||||
// Turn off post-handshake authentication for TLS 1.3 by default,
|
// Turn off post-handshake authentication for TLS 1.3 by default,
|
||||||
|
|
|
@ -1259,6 +1259,14 @@ nsresult nsNSSComponent::setEnabledTLSVersions() {
|
||||||
uint32_t maxFromPrefs = Preferences::GetUint("security.tls.version.max",
|
uint32_t maxFromPrefs = Preferences::GetUint("security.tls.version.max",
|
||||||
PSM_DEFAULT_MAX_TLS_VERSION);
|
PSM_DEFAULT_MAX_TLS_VERSION);
|
||||||
|
|
||||||
|
// This override should be removed when PSM_DEFAULT_MIN_TLS_VERSION is increased
|
||||||
|
// to 3 in March 2020, see bug 1579285.
|
||||||
|
bool enableDeprecated = Preferences::GetBool("security.tls.version.enable-deprecated",
|
||||||
|
false);
|
||||||
|
if (enableDeprecated) {
|
||||||
|
minFromPrefs = std::min(minFromPrefs, PSM_DEFAULT_MIN_TLS_VERSION);
|
||||||
|
}
|
||||||
|
|
||||||
SSLVersionRange defaults = {
|
SSLVersionRange defaults = {
|
||||||
SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MIN_TLS_VERSION,
|
SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MIN_TLS_VERSION,
|
||||||
SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MAX_TLS_VERSION};
|
SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MAX_TLS_VERSION};
|
||||||
|
@ -1910,7 +1918,8 @@ nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic,
|
||||||
NS_ConvertUTF16toUTF8 prefName(someData);
|
NS_ConvertUTF16toUTF8 prefName(someData);
|
||||||
|
|
||||||
if (prefName.EqualsLiteral("security.tls.version.min") ||
|
if (prefName.EqualsLiteral("security.tls.version.min") ||
|
||||||
prefName.EqualsLiteral("security.tls.version.max")) {
|
prefName.EqualsLiteral("security.tls.version.max") ||
|
||||||
|
prefName.EqualsLiteral("security.tls.version.enable-deprecated")) {
|
||||||
(void)setEnabledTLSVersions();
|
(void)setEnabledTLSVersions();
|
||||||
} else if (prefName.EqualsLiteral("security.tls.hello_downgrade_check")) {
|
} else if (prefName.EqualsLiteral("security.tls.hello_downgrade_check")) {
|
||||||
bool enableDowngradeCheck = Preferences::GetBool(
|
bool enableDowngradeCheck = Preferences::GetBool(
|
||||||
|
|
Загрузка…
Ссылка в новой задаче