Bug 1290037 - Update keybits in H2, r=mt
authorFranziskus Kiefer <franziskuskiefer@gmail.com>
Thu, 28 Jul 2016 16:48:00 +0200
changeset 308814 361ac226da2a83516db8d4e4c5b41a69b3ba754f
parent 308813 5d5d3ef04f3f77bb95616f56c129256a89f57831
child 308815 40e95a2eb907cf067af00a3c5b126a344b515fdb
push id30550
push usercbook@mozilla.com
push dateWed, 10 Aug 2016 13:55:02 +0000
treeherdermozilla-central@c12bb83ad278 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmt
bugs1290037
milestone51.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1290037 - Update keybits in H2, r=mt MozReview-Commit-ID: 35oWoDMqe1Y
netwerk/protocol/http/Http2Session.cpp
--- a/netwerk/protocol/http/Http2Session.cpp
+++ b/netwerk/protocol/http/Http2Session.cpp
@@ -3544,18 +3544,18 @@ Http2Session::ConfirmTLSProfile()
     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
   }
 
   uint32_t keybits = ssl->GetKEAKeyBits();
   if (kea == ssl_kea_dh && keybits < 2048) {
     LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to DH %d < 2048\n",
           this, keybits));
     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
-  } else if (kea == ssl_kea_ecdh && keybits < 256) { // 256 bits is "security level" of 128
-    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 256\n",
+  } else if (kea == ssl_kea_ecdh && keybits < 224) { // see rfc7540 9.2.1.
+    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 224\n",
           this, keybits));
     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
   }
 
   int16_t macAlgorithm = ssl->GetMACAlgorithmUsed();
   LOG3(("Http2Session::ConfirmTLSProfile %p MAC Algortihm (aead==6) %d\n",
         this, macAlgorithm));
   if (macAlgorithm != nsISSLSocketControl::SSL_MAC_AEAD) {