Bug 1316300 - Remove ECDSA_CBC cipher suites from TLS 1.3 ClientHello. r=keeler
authorMasatoshi Kimura <VYV03354@nifty.ne.jp>
Sat, 17 Dec 2016 12:32:58 +0900
changeset 326848 0c0edf04c56f717351973e169720e888ab37d46b
parent 326847 7a03c08fa0ba609f77b88c670094505369363765
child 326849 839a3dcee4ffd0815eb2b264ecb73deca07cb60a
push id35360
push userVYV03354@nifty.ne.jp
push dateThu, 22 Dec 2016 00:45:40 +0000
treeherderautoland@0c0edf04c56f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1316300
milestone53.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1316300 - Remove ECDSA_CBC cipher suites from TLS 1.3 ClientHello. r=keeler Because we enabled TLS 1.3 by default and removed the weak cipher suite fallback machinary, this is the simplest change to hide ECDSA_CBC behind fallback and measure the impact of removal. MozReview-Commit-ID: G5gDKEid5XB
security/manager/ssl/nsNSSIOLayer.cpp
--- a/security/manager/ssl/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/nsNSSIOLayer.cpp
@@ -2397,16 +2397,21 @@ nsSSLIOLayerSetOptions(PRFileDesc* fd, b
       }
     }
     // tell NSS the max enabled version to make anti-downgrade effective
     if (SECSuccess != SSL_SetDowngradeCheckVersion(fd, maxEnabledVersion)) {
       return NS_ERROR_FAILURE;
     }
   }
 
+  if (range.max > SSL_LIBRARY_VERSION_TLS_1_2) {
+    SSL_CipherPrefSet(fd, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, false);
+    SSL_CipherPrefSet(fd, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, false);
+  }
+
   // Include a modest set of named groups.
   const SSLNamedGroup namedGroups[] = {
     ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1,
     ssl_grp_ec_secp521r1, ssl_grp_ffdhe_2048, ssl_grp_ffdhe_3072
   };
   if (SECSuccess != SSL_NamedGroupConfig(fd, namedGroups,
                                          mozilla::ArrayLength(namedGroups))) {
     return NS_ERROR_FAILURE;