537356 - Implement new safe SSL3 & TLS renegotiation. Change renegotiation default to be SSL_RENEGOTIATE_REQUIRES_XTN. r=wtc.
authoralexei.volkov.bugs%sun.com
Fri, 26 Feb 2010 20:44:54 +0000
changeset 9572 409102442c953a3708a866160d118ba36c64713a
parent 9571 f40bb751b86f87b298d25c238ff903d6f1df5cc5
child 9573 71101c9a3ffe740e5c713cccab2f6c9d774136bd
push idunknown
push userunknown
push dateunknown
reviewerswtc
bugs537356
537356 - Implement new safe SSL3 & TLS renegotiation. Change renegotiation default to be SSL_RENEGOTIATE_REQUIRES_XTN. r=wtc.
security/nss/lib/ssl/sslsock.c
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -176,17 +176,17 @@ static sslOptions ssl_defaults = {
     PR_FALSE,	/* fdx                */
     PR_TRUE,	/* v2CompatibleHello  */
     PR_TRUE,	/* detectRollBack     */
     PR_FALSE,   /* noStepDown         */
     PR_FALSE,   /* bypassPKCS11       */
     PR_FALSE,   /* noLocks            */
     PR_FALSE,   /* enableSessionTickets */
     PR_FALSE,   /* enableDeflate      */
-    3,          /* enableRenegotiation (default: transitional) */
+    2,          /* enableRenegotiation (default: requires extension) */
     PR_FALSE,   /* requireSafeNegotiation */
 };
 
 sslSessionIDLookupFunc  ssl_sid_lookup;
 sslSessionIDCacheFunc   ssl_sid_cache;
 sslSessionIDUncacheFunc ssl_sid_uncache;
 
 static PRBool ssl_inited = PR_FALSE;
@@ -2296,17 +2296,17 @@ ssl_NewSocket(PRBool makeLocks)
 	ev = getenv("NSS_SSL_ENABLE_RENEGOTIATION");
 	if (ev) {
 	    if (ev[0] == '1' || LOWER(ev[0]) == 'u')
 	    	ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED;
 	    else if (ev[0] == '0' || LOWER(ev[0]) == 'n')
 	    	ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER;
 	    else if (ev[0] == '2' || LOWER(ev[0]) == 'r')
 		ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN;
-	    else
+	    else if (ev[0] == '3' || LOWER(ev[0]) == 't')
 	    	ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL;
 	    SSL_TRACE(("SSL: enableRenegotiation set to %d", 
 	               ssl_defaults.enableRenegotiation));
 	}
 	ev = getenv("NSS_SSL_REQUIRE_SAFE_NEGOTIATION");
 	if (ev && ev[0] == '1') {
 	    ssl_defaults.requireSafeNegotiation = PR_TRUE;
 	    SSL_TRACE(("SSL: requireSafeNegotiation set to %d",