#334, closes #489: enable TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for a…

…mtrak.com
classilla · Mar 20, 2018 · 14d8add · 14d8add
1 parent 41675e9
commit 14d8add
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 0 deletions.
diff --git a/netwerk/base/security-prefs.js b/netwerk/base/security-prefs.js
@@ -19,6 +19,7 @@ pref("security.ssl.enable_alpn", true);
 pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true);
 pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true);
 pref("security.ssl3.ecdhe_rsa_aes_128_sha", true);
+pref("security.ssl3.ecdhe_rsa_aes_128_sha256", true);
 pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", true);
 pref("security.ssl3.ecdhe_rsa_aes_256_sha", true);
 pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true);

diff --git a/security/manager/ssl/nsNSSCallbacks.cpp b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -30,8 +30,10 @@ using namespace mozilla::psm;
 
 extern PRLogModuleInfo* gPIPNSSLog;
 
+#if (0) // TenFourFox issue 334
 static void AccumulateCipherSuite(Telemetry::ID probe,
                                   const SSLChannelInfo& channelInfo);
+#endif
 
 namespace {
 
@@ -1027,6 +1029,7 @@ CanFalseStartCallback(PRFileDesc* fd, void* client_data, PRBool *canFalseStart)
   return SECSuccess;
 }
 
+#if(0) // TenFourFox issue 334
 static void
 AccumulateNonECCKeySize(Telemetry::ID probe, uint32_t bits)
 {
@@ -1076,6 +1079,7 @@ AccumulateCipherSuite(Telemetry::ID probe, const SSLChannelInfo& channelInfo)
     case TLS_ECDHE_RSA_WITH_RC4_128_SHA: value = 8; break;
     case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: value = 9; break;
     case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: value = 10; break;
+    case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: value = 11; break; // just in case, issue 489
     // DHE key exchange
     case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: value = 21; break;
     case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: value = 22; break;
@@ -1114,6 +1118,7 @@ AccumulateCipherSuite(Telemetry::ID probe, const SSLChannelInfo& channelInfo)
   MOZ_ASSERT(value != 0);
   Telemetry::Accumulate(probe, value);
 }
+#endif
 
 void HandshakeCallback(PRFileDesc* fd, void* client_data) {
   nsNSSShutDownPreventionLock locker;
@@ -1146,6 +1151,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
   rv = SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo));
   MOZ_ASSERT(rv == SECSuccess);
   if (rv == SECSuccess) {
+#if(0) // TenFourFox issue 334
     // Get the protocol version for telemetry
     // 1=tls1, 2=tls1.1, 3=tls1.2
     unsigned int versionEnum = channelInfo.protocolVersion & 0xFF;
@@ -1155,6 +1161,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
       infoObject->IsFullHandshake() ? Telemetry::SSL_CIPHER_SUITE_FULL
                                     : Telemetry::SSL_CIPHER_SUITE_RESUMED,
       channelInfo);
+#endif
 
     SSLCipherSuiteInfo cipherInfo;
     rv = SSL_GetCipherSuiteInfo(channelInfo.cipherSuite, &cipherInfo,
@@ -1163,17 +1170,20 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
     if (rv == SECSuccess) {
       usesWeakCipher = cipherInfo.symCipher == ssl_calg_rc4;
 
+#if(0)
       // keyExchange null=0, rsa=1, dh=2, fortezza=3, ecdh=4
       Telemetry::Accumulate(
         infoObject->IsFullHandshake()
           ? Telemetry::SSL_KEY_EXCHANGE_ALGORITHM_FULL
           : Telemetry::SSL_KEY_EXCHANGE_ALGORITHM_RESUMED,
         cipherInfo.keaType);
+#endif
 
       DebugOnly<int16_t> KEAUsed;
       MOZ_ASSERT(NS_SUCCEEDED(infoObject->GetKEAUsed(&KEAUsed)) &&
                  (KEAUsed == cipherInfo.keaType));
 
+#if(0)
       if (infoObject->IsFullHandshake()) {
         switch (cipherInfo.keaType) {
           case ssl_kea_rsa:
@@ -1223,6 +1233,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
             ? Telemetry::SSL_SYMMETRIC_CIPHER_FULL
             : Telemetry::SSL_SYMMETRIC_CIPHER_RESUMED,
           cipherInfo.symCipher);
+#endif
     }
   }
 

diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp
@@ -623,6 +623,9 @@ static const CipherPref sCipherPrefs[] = {
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, true },
  { "security.ssl3.ecdhe_ecdsa_aes_128_sha",
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, true },
+ // stopgap for TenFourFox issue 489 pending ChaCha20/Poly1305 implementation
+ { "security.ssl3.ecdhe_rsa_aes_128_sha256",
+   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, true },
 
  { "security.ssl3.ecdhe_rsa_aes_256_sha",
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, true },