author | Arthur Edelstein <arthuredelstein@gmail.com> |
Mon, 08 Sep 2014 15:32:00 -0400 | |
changeset 206282 | 85fdc596e2575b7368fb5c8495a897c9c3bfe786 |
parent 206281 | 3f395d9d894a542339348a067951096f01edced6 |
child 206283 | 45cac79834c7f0abc4ee9da24cf2226898e2e2b0 |
push id | 27520 |
push user | kwierso@gmail.com |
push date | Sat, 20 Sep 2014 00:25:19 +0000 |
treeherder | mozilla-central@27253887d2cc [default view] [failures only] |
perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
reviewers | dkeeler |
bugs | 967977 |
milestone | 35.0a1 |
first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/security/manager/ssl/src/nsNSSComponent.cpp +++ b/security/manager/ssl/src/nsNSSComponent.cpp @@ -698,16 +698,25 @@ static const CipherPref sCipherPrefs[] = static const int32_t OCSP_ENABLED_DEFAULT = 1; static const bool REQUIRE_SAFE_NEGOTIATION_DEFAULT = false; static const bool ALLOW_UNRESTRICTED_RENEGO_DEFAULT = false; static const bool FALSE_START_ENABLED_DEFAULT = true; static const bool NPN_ENABLED_DEFAULT = true; static const bool ALPN_ENABLED_DEFAULT = false; +static void +ConfigureTLSSessionIdentifiers() +{ + bool disableSessionIdentifiers = + Preferences::GetBool("security.ssl.disable_session_identifiers", false); + SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, !disableSessionIdentifiers); + SSL_OptionSetDefault(SSL_NO_CACHE, disableSessionIdentifiers); +} + namespace { class CipherSuiteChangeObserver : public nsIObserver { public: NS_DECL_ISUPPORTS NS_DECL_NSIOBSERVER @@ -989,17 +998,17 @@ nsNSSComponent::InitializeNSS() return NS_ERROR_UNEXPECTED; } DisableMD5(); // Initialize the certverifier log before calling any functions that library. InitCertVerifierLog(); LoadLoadableRoots(); - SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, true); + ConfigureTLSSessionIdentifiers(); bool requireSafeNegotiation = Preferences::GetBool("security.ssl.require_safe_negotiation", REQUIRE_SAFE_NEGOTIATION_DEFAULT); SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, requireSafeNegotiation); bool allowUnrestrictedRenego = Preferences::GetBool("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", @@ -1299,16 +1308,18 @@ nsNSSComponent::Observe(nsISupports* aSu } else if (prefName.EqualsLiteral("security.ssl.enable_npn")) { SSL_OptionSetDefault(SSL_ENABLE_NPN, Preferences::GetBool("security.ssl.enable_npn", NPN_ENABLED_DEFAULT)); } else if (prefName.EqualsLiteral("security.ssl.enable_alpn")) { SSL_OptionSetDefault(SSL_ENABLE_ALPN, Preferences::GetBool("security.ssl.enable_alpn", ALPN_ENABLED_DEFAULT)); + } else if (prefName.Equals("security.ssl.disable_session_identifiers")) { + ConfigureTLSSessionIdentifiers(); } else if (prefName.EqualsLiteral("security.OCSP.enabled") || prefName.EqualsLiteral("security.OCSP.require") || prefName.EqualsLiteral("security.OCSP.GET.enabled") || prefName.EqualsLiteral("security.ssl.enable_ocsp_stapling") || prefName.EqualsLiteral("security.cert_pinning.enforcement_level")) { MutexAutoLock lock(mutex); setValidationOptions(false, lock); } else if (prefName.EqualsLiteral("network.ntlm.send-lm-response")) {