Bug 79528 r=ddrinan/sr=ben Add edit window for SSL ciphers

security/manager/pki/resources/locale/en-US/pref-ssl.dtd

@@ -29,11 +29,11 @@
 <!ENTITY enable.ssl3 "Enable SSL version 3">
 <!ENTITY enable.tls "Enable TLS">
 
-<!ENTITY edit.sslciphers "Edit SSL Ciphers...">
+<!ENTITY edit.sslciphers "Edit Ciphers...">
 
 <!ENTITY warn.description "&brandShortName; can alert you to the security status of the web page you are viewing. Set &brandShortName; to show a warning and ask permission before:">
 <!ENTITY warn.enteringsecure "Entering a site that supports encryption">
-<!ENTITY warn.enteringweak "Entering a site that uses weak encryption">
+<!ENTITY warn.enteringweak "Entering a site that uses low-grade encryption">
 <!ENTITY warn.insecurepost
  "Sending form data from an insecure page to an insecure page">
 <!ENTITY warn.secureredirect "Redirection from one secure site to another">
@@ -44,3 +44,28 @@
 <!ENTITY certselect.description "Decide how &brandShortName; selects a security certificate to present to web sites that require one:">
 <!ENTITY certselect.auto "Select Automatically">
 <!ENTITY certselect.ask "Ask Every Time">
+
+<!-- Cipher pref window -->
+<!ENTITY cipher.title "SSL: Edit Ciphers">
+<!ENTITY cipher.ssl2.label "SSL2 Ciphersuites">
+<!ENTITY cipher.ssl3.label "SSL3/TLS Ciphersuites">
+
+<!-- SSL2 Ciphers -->
+<!ENTITY cipher.ssl2.rc4_128 "RC4 encryption with a 128-bit key">
+<!ENTITY cipher.ssl2.rc2_128 "RC2 encryption with a 128-bit key">
+<!ENTITY cipher.ssl2.des_ede3_192 "Triple DES encryption with a 168-bit key">
+<!ENTITY cipher.ssl2.des_64 "DES encryption with a 56-bit key">
+<!ENTITY cipher.ssl2.rc4_40 "RC4 encryption with a 40-bit key">
+<!ENTITY cipher.ssl2.rc2_40 "RC2 encryption with a 40-bit key">
+
+<!-- SSL3 ciphers -->
+<!ENTITY cipher.ssl3.rsa_rc4_128_md5 "RC4 encryption with a 128-bit key and an MD5 MAC">
+<!ENTITY cipher.ssl3.rsa_fips_des_ede3_sha "FIPS 140-1 compliant triple DES encryption and SHA-1 MAC">
+<!ENTITY cipher.ssl3.rsa_des_ede3_sha "Triple DES encryption with a 168-bit key and a SHA-1 MAC">
+<!ENTITY cipher.ssl3.rsa_fips_des_sha "FIPS 140-1 compliant DES encryption and SHA-1 MAC">
+<!ENTITY cipher.ssl3.rsa_des_sha "DES encryption with a 56-bit key and a SHA-1 MAC">
+<!ENTITY cipher.ssl3.rsa_1024_rc4_56_sha "RC4 encryption with a 56-bit key and a SHA-1 MAC">
+<!ENTITY cipher.ssl3.rsa_1024_des_cbc_sha "DES encryption in CBC mode with a 56-bit key and a SHA-1 MAC">
+<!ENTITY cipher.ssl3.rsa_rc4_40_md5 "RC4 encryption with a 40-bit key and an MD5 MAC">
+<!ENTITY cipher.ssl3.rsa_rc2_40_md5 "RC2 encryption with a 40-bit key and an MD5 MAC">
+<!ENTITY cipher.ssl3.rsa_null_md5 "No encryption with an MD5 MAC">

security/manager/ssl/src/nsNSSComponent.cpp

@@ -337,6 +337,37 @@ nsNSSComponent::RegisterCertContentListener()
   return rv;
 }
 
+/* Table of pref names and SSL cipher ID */
+typedef struct {
+  char* pref;
+  long id;
+} CipherPref;
+
+static CipherPref CipherPrefs[] = {
+/* SSL2 ciphers */
+ {"security.ssl2.rc4_128", SSL_EN_RC4_128_WITH_MD5},
+ {"security.ssl2.rc2_128", SSL_EN_RC2_128_CBC_WITH_MD5},
+ {"security.ssl2.des_ede3_192", SSL_EN_DES_192_EDE3_CBC_WITH_MD5},
+ {"security.ssl2.des_64", SSL_EN_DES_64_CBC_WITH_MD5},
+ {"security.ssl2.rc4_40", SSL_EN_RC4_128_EXPORT40_WITH_MD5},
+ {"security.ssl2.rc2_40", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5},
+ /* SSL3 ciphers */
+ {"security.ssl3.fortezza_fortezza_sha", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA},
+ {"security.ssl3.fortezza_rc4_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA},
+ {"security.ssl3.rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5},
+ {"security.ssl3.rsa_fips_des_ede3_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA},
+ {"security.ssl3.rsa_des_ede3_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA},
+ {"security.ssl3.rsa_fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA},
+ {"security.ssl3.rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA},
+ {"security.ssl3.rsa_1024_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA},
+ {"security.ssl3.rsa_1024_des_cbc_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA},
+ {"security.ssl3.rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5},
+ {"security.ssl3.rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5},
+ {"security.ssl3.fortezza_null_sha", SSL_FORTEZZA_DMS_WITH_NULL_SHA},
+ {"security.ssl3.rsa_null_md5", SSL_RSA_WITH_NULL_MD5},
+ {NULL, 0} /* end marker */
+};
+
 nsresult
 nsNSSComponent::InitializeNSS()
 {
@@ -390,6 +421,13 @@ nsNSSComponent::InitializeNSS()
   mPref->GetBoolPref("security.enable_tls", &enabled);
   SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled);
 
+  // Set SSL/TLS ciphers
+  for (CipherPref* cp = CipherPrefs; cp->pref; ++cp) {
+    mPref->GetBoolPref(cp->pref, &enabled);
+
+    SSL_CipherPrefSetDefault(cp->id, enabled);
+  }
+
   // Enable ciphers for PKCS#12
   SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1);
   SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1);
@@ -518,6 +556,7 @@ void
 nsNSSComponent::PrefChanged(const char* prefName)
 {
   PRBool enabled;
+
   if (!nsCRT::strcmp(prefName, "security.enable_ssl2")) {
     mPref->GetBoolPref("security.enable_ssl2", &enabled);
     SSL_OptionSetDefault(SSL_ENABLE_SSL2, enabled);
@@ -527,6 +566,15 @@ nsNSSComponent::PrefChanged(const char* prefName)
   } else if (!nsCRT::strcmp(prefName, "security.enable_tls")) {
     mPref->GetBoolPref("security.enable_tls", &enabled);
     SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled);
+  } else {
+    /* Look through the cipher table and set according to pref setting */
+    for (CipherPref* cp = CipherPrefs; cp->pref; ++cp) {
+      if (!nsCRT::strcmp(prefName, cp->pref)) {
+        mPref->GetBoolPref(cp->pref, &enabled);
+        SSL_CipherPrefSetDefault(cp->id, enabled);
+        break;
+      }
+    }
   }
 }