Bug 1622298 - Port bug 1621732: Provide a policy to disable ciphers. r=darktrojan
authorRichard Marti <richard.marti@gmail.com>
Tue, 17 Mar 2020 12:39:06 +0200
changeset 38503 50e95bf7986d08be42c8bf51cc3e3587e7a53f90
parent 38502 6b7f4b4acf12c581adaa6588006cfd1d2b33c6bc
child 38504 bd92c86971d7cd014206df89b25ad071bd0362a6
push id400
push userclokep@gmail.com
push dateMon, 04 May 2020 18:56:09 +0000
reviewersdarktrojan
bugs1622298, 1621732
Bug 1622298 - Port bug 1621732: Provide a policy to disable ciphers. r=darktrojan
mail/components/enterprisepolicies/Policies.jsm
mail/components/enterprisepolicies/schemas/policies-schema.json
mail/locales/en-US/messenger/policies/policies-descriptions.ftl
--- a/mail/components/enterprisepolicies/Policies.jsm
+++ b/mail/components/enterprisepolicies/Policies.jsm
@@ -222,16 +222,48 @@ var Policies = {
   DisableAppUpdate: {
     onBeforeAddons(manager, param) {
       if (param) {
         manager.disallowFeature("appUpdate");
       }
     },
   },
 
+  DisabledCiphers: {
+    onBeforeAddons(manager, param) {
+      if ("TLS_DHE_RSA_WITH_AES_128_CBC_SHA" in param) {
+        setAndLockPref("security.ssl3.dhe_rsa_aes_128_sha", false);
+      }
+      if ("TLS_DHE_RSA_WITH_AES_256_CBC_SHA" in param) {
+        setAndLockPref("security.ssl3.dhe_rsa_aes_256_sha", false);
+      }
+      if ("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" in param) {
+        setAndLockPref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
+      }
+      if ("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" in param) {
+        setAndLockPref("security.ssl3.ecdhe_rsa_aes_256_sha", false);
+      }
+      if ("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" in param) {
+        setAndLockPref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", false);
+      }
+      if ("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" in param) {
+        setAndLockPref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", false);
+      }
+      if ("TLS_RSA_WITH_AES_128_CBC_SHA" in param) {
+        setAndLockPref("security.ssl3.rsa_aes_128_sha", false);
+      }
+      if ("TLS_RSA_WITH_AES_256_CBC_SHA" in param) {
+        setAndLockPref("security.ssl3.rsa_aes_256_sha", false);
+      }
+      if ("TLS_RSA_WITH_3DES_EDE_CBC_SHA" in param) {
+        setAndLockPref("security.ssl3.rsa_des_ede3_sha", false);
+      }
+    },
+  },
+
   DisableDeveloperTools: {
     onBeforeAddons(manager, param) {
       if (param) {
         setAndLockPref("devtools.policy.disabled", true);
         setAndLockPref("devtools.chrome.enabled", false);
 
         manager.disallowFeature("devtools");
         blockAboutPage(manager, "about:devtools");
--- a/mail/components/enterprisepolicies/schemas/policies-schema.json
+++ b/mail/components/enterprisepolicies/schemas/policies-schema.json
@@ -40,16 +40,49 @@
         }
       }
     },
 
     "DisableAppUpdate": {
       "type": "boolean"
     },
 
+    "DisabledCiphers": {
+      "type": "object",
+      "properties": {
+        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA": {
+          "type": "boolean"
+        },
+        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA": {
+          "type": "boolean"
+        },
+        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": {
+          "type": "boolean"
+        },
+        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": {
+          "type": "boolean"
+        },
+        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": {
+          "type": "boolean"
+        },
+        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": {
+          "type": "boolean"
+        },
+        "TLS_RSA_WITH_AES_128_CBC_SHA": {
+          "type": "boolean"
+        },
+        "TLS_RSA_WITH_AES_256_CBC_SHA": {
+          "type": "boolean"
+        },
+        "TLS_RSA_WITH_3DES_EDE_CBC_SHA": {
+          "type": "boolean"
+        }
+      }
+    },
+
     "DisableDeveloperTools": {
       "type": "boolean"
     },
 
     "DisableMasterPasswordCreation": {
       "type": "boolean"
     },
 
--- a/mail/locales/en-US/messenger/policies/policies-descriptions.ftl
+++ b/mail/locales/en-US/messenger/policies/policies-descriptions.ftl
@@ -26,16 +26,18 @@ policy-BlockAboutProfiles = Block access
 policy-BlockAboutSupport = Block access to the about:support page.
 
 policy-CaptivePortal = Enable or disable captive portal support.
 
 policy-CertificatesDescription = Add certificates or use built-in certificates.
 
 policy-Cookies = Allow or deny websites to set cookies.
 
+policy-DisabledCiphers = Disable ciphers.
+
 policy-DefaultDownloadDirectory = Set the default download directory.
 
 policy-DisableAppUpdate = Prevent { -brand-short-name } from updating.
 
 policy-DisableDeveloperTools = Block access to the developer tools.
 
 policy-DisableFeedbackCommands = Disable commands to send feedback from the Help menu (Submit Feedback and Report Deceptive Site).