Bug 1076983 - Disabling SSL 3.0 with pref, r=keeler a=lmandel
authorMartin Thomson <martin.thomson@gmail.com>
Thu, 02 Oct 2014 15:44:33 -0700
changeset 225765 8c9d5c14b866
parent 225764 a026594416c7
child 225766 4ff961ace0d0
push id4010
push usermartin.thomson@gmail.com
push date2014-10-22 19:49 +0000
treeherdermozilla-beta@8c9d5c14b866 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler, lmandel
bugs1076983
milestone34.0
Bug 1076983 - Disabling SSL 3.0 with pref, r=keeler a=lmandel From 123ed5d2d2215603b18a60f0c1307bedab4c1e08 Mon Sep 17 00:00:00 2001 --- netwerk/base/public/security-prefs.js | 2 +- security/manager/ssl/src/nsNSSComponent.cpp | 7 +++---- 2 files changed, 4 insertions(+), 5 deletions(-)
netwerk/base/public/security-prefs.js
security/manager/ssl/src/nsNSSComponent.cpp
--- a/netwerk/base/public/security-prefs.js
+++ b/netwerk/base/public/security-prefs.js
@@ -1,13 +1,13 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-pref("security.tls.version.min", 0);
+pref("security.tls.version.min", 1);
 pref("security.tls.version.max", 3);
 
 pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", false);
 pref("security.ssl.renego_unrestricted_hosts", "");
 pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
 pref("security.ssl.require_safe_negotiation",  false);
 pref("security.ssl.warn_missing_rfc5746",  1);
 pref("security.ssl.enable_ocsp_stapling", true);
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -822,24 +822,23 @@ void nsNSSComponent::setValidationOption
   CertVerifier::ocsp_strict_config osc;
   CertVerifier::ocsp_get_config ogc;
 
   GetOCSPBehaviorFromPrefs(&odc, &osc, &ogc, lock);
   mDefaultCertVerifier = new SharedCertVerifier(odc, osc, ogc,
                                                 pinningEnforcementLevel);
 }
 
-// Enable the TLS versions given in the prefs, defaulting to SSL 3.0 (min
-// version) and TLS 1.2 (max version) when the prefs aren't set or set to
-// invalid values.
+// Enable the TLS versions given in the prefs, defaulting to TLS 1.0 (min) and
+// TLS 1.2 (max) when the prefs aren't set or set to invalid values.
 nsresult
 nsNSSComponent::setEnabledTLSVersions()
 {
   // keep these values in sync with security-prefs.js
-  static const int32_t PSM_DEFAULT_MIN_TLS_VERSION = 0;
+  static const int32_t PSM_DEFAULT_MIN_TLS_VERSION = 1;
   static const int32_t PSM_DEFAULT_MAX_TLS_VERSION = 3;
 
   int32_t minVersion = Preferences::GetInt("security.tls.version.min",
                                            PSM_DEFAULT_MIN_TLS_VERSION);
   int32_t maxVersion = Preferences::GetInt("security.tls.version.max",
                                            PSM_DEFAULT_MAX_TLS_VERSION);
 
   // 0 means SSL 3.0, 1 means TLS 1.0, 2 means TLS 1.1, etc.