Bug 733647: Enable TLS 1.1 by default, r=wtc
authorBrian Smith <brian@briansmith.org>
Sat, 26 Oct 2013 01:01:37 -0700
changeset 152577 998b63fe349249be6742b9e694b6f3b2e0bca15b
parent 152576 dfc04d7991c437526649159acec9db445bc25b75
child 152578 0d29189eef9bc57f0e025c23041c1d26523238ce
push id25552
push usercbook@mozilla.com
push dateTue, 29 Oct 2013 12:21:45 +0000
treeherdermozilla-central@cd94525c17a4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerswtc
bugs733647
milestone28.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 733647: Enable TLS 1.1 by default, r=wtc
netwerk/base/public/security-prefs.js
security/manager/ssl/src/nsNSSComponent.cpp
--- a/netwerk/base/public/security-prefs.js
+++ b/netwerk/base/public/security-prefs.js
@@ -1,14 +1,14 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 pref("security.tls.version.min", 0);
-pref("security.tls.version.max", 1);
+pref("security.tls.version.max", 2);
 pref("security.enable_md5_signatures", false);
 
 pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", false);
 pref("security.ssl.renego_unrestricted_hosts", "");
 pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
 pref("security.ssl.require_safe_negotiation",  false);
 pref("security.ssl.warn_missing_rfc5746",  1);
 pref("security.ssl.enable_ocsp_stapling", true);
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -955,24 +955,25 @@ void nsNSSComponent::setValidationOption
 
   /*
     * The new defaults might change the validity of already established SSL sessions,
     * let's not reuse them.
     */
   SSL_ClearSessionCache();
 }
 
-// Enable the TLS versions given in the prefs, defaulting to SSL 3.0 and
-// TLS 1.0 when the prefs aren't set or when they are set to invalid values.
+// Enable the TLS versions given in the prefs, defaulting to SSL 3.0 (min
+// version) and TLS 1.1 (max version) when the prefs aren't set or set to
+// invalid values.
 nsresult
 nsNSSComponent::setEnabledTLSVersions()
 {
-  // keep these values in sync with security-prefs.js and firefox.js
+  // keep these values in sync with security-prefs.js
   static const int32_t PSM_DEFAULT_MIN_TLS_VERSION = 0;
-  static const int32_t PSM_DEFAULT_MAX_TLS_VERSION = 1;
+  static const int32_t PSM_DEFAULT_MAX_TLS_VERSION = 2;
 
   int32_t minVersion = Preferences::GetInt("security.tls.version.min",
                                            PSM_DEFAULT_MIN_TLS_VERSION);
   int32_t maxVersion = Preferences::GetInt("security.tls.version.max",
                                            PSM_DEFAULT_MAX_TLS_VERSION);
 
   // 0 means SSL 3.0, 1 means TLS 1.0, 2 means TLS 1.1, etc.
   minVersion += SSL_LIBRARY_VERSION_3_0;