#334, closes #489: enable TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for amtrak.com

2025-04-15 06:37:10 +00:00 · 2018-03-19 20:35:28 -07:00 · 2018-03-19 20:35:28 -07:00 · 14d8add7ca
commit 14d8add7ca
parent 41675e9698
3 changed files with 15 additions and 0 deletions
--- a/netwerk/base/security-prefs.js
+++ b/netwerk/base/security-prefs.js
@ -19,6 +19,7 @@ pref("security.ssl.enable_alpn", true);
 pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true);
 pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true);
 pref("security.ssl3.ecdhe_rsa_aes_128_sha", true);
+pref("security.ssl3.ecdhe_rsa_aes_128_sha256", true);
 pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", true);
 pref("security.ssl3.ecdhe_rsa_aes_256_sha", true);
 pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true);
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@ -30,8 +30,10 @@ using namespace mozilla::psm;

 extern PRLogModuleInfo* gPIPNSSLog;

+#if (0) // TenFourFox issue 334
 static void AccumulateCipherSuite(Telemetry::ID probe,
                                  const SSLChannelInfo& channelInfo);
+#endif

 namespace {

@ -1027,6 +1029,7 @@ CanFalseStartCallback(PRFileDesc* fd, void* client_data, PRBool *canFalseStart)
  return SECSuccess;
 }

+#if(0) // TenFourFox issue 334
 static void
 AccumulateNonECCKeySize(Telemetry::ID probe, uint32_t bits)
 {
@ -1076,6 +1079,7 @@ AccumulateCipherSuite(Telemetry::ID probe, const SSLChannelInfo& channelInfo)
    case TLS_ECDHE_RSA_WITH_RC4_128_SHA: value = 8; break;
    case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: value = 9; break;
    case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: value = 10; break;
+    case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: value = 11; break; // just in case, issue 489
    // DHE key exchange
    case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: value = 21; break;
    case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: value = 22; break;
@ -1114,6 +1118,7 @@ AccumulateCipherSuite(Telemetry::ID probe, const SSLChannelInfo& channelInfo)
  MOZ_ASSERT(value != 0);
  Telemetry::Accumulate(probe, value);
 }
+#endif

 void HandshakeCallback(PRFileDesc* fd, void* client_data) {
  nsNSSShutDownPreventionLock locker;
@ -1146,6 +1151,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
  rv = SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo));
  MOZ_ASSERT(rv == SECSuccess);
  if (rv == SECSuccess) {
+#if(0) // TenFourFox issue 334
    // Get the protocol version for telemetry
    // 1=tls1, 2=tls1.1, 3=tls1.2
    unsigned int versionEnum = channelInfo.protocolVersion & 0xFF;
@ -1155,6 +1161,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
      infoObject->IsFullHandshake() ? Telemetry::SSL_CIPHER_SUITE_FULL
                                    : Telemetry::SSL_CIPHER_SUITE_RESUMED,
      channelInfo);
+#endif

    SSLCipherSuiteInfo cipherInfo;
    rv = SSL_GetCipherSuiteInfo(channelInfo.cipherSuite, &cipherInfo,
@ -1163,17 +1170,20 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
    if (rv == SECSuccess) {
      usesWeakCipher = cipherInfo.symCipher == ssl_calg_rc4;

+#if(0)
      // keyExchange null=0, rsa=1, dh=2, fortezza=3, ecdh=4
      Telemetry::Accumulate(
        infoObject->IsFullHandshake()
          ? Telemetry::SSL_KEY_EXCHANGE_ALGORITHM_FULL
          : Telemetry::SSL_KEY_EXCHANGE_ALGORITHM_RESUMED,
        cipherInfo.keaType);
+#endif

      DebugOnly<int16_t> KEAUsed;
      MOZ_ASSERT(NS_SUCCEEDED(infoObject->GetKEAUsed(&KEAUsed)) &&
                 (KEAUsed == cipherInfo.keaType));

+#if(0)
      if (infoObject->IsFullHandshake()) {
        switch (cipherInfo.keaType) {
          case ssl_kea_rsa:
@ -1223,6 +1233,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
            ? Telemetry::SSL_SYMMETRIC_CIPHER_FULL
            : Telemetry::SSL_SYMMETRIC_CIPHER_RESUMED,
          cipherInfo.symCipher);
+#endif
    }
  }

--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@ -623,6 +623,9 @@ static const CipherPref sCipherPrefs[] = {
   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, true },
 { "security.ssl3.ecdhe_ecdsa_aes_128_sha",
   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, true },
+ // stopgap for TenFourFox issue 489 pending ChaCha20/Poly1305 implementation
+ { "security.ssl3.ecdhe_rsa_aes_128_sha256",
+   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, true },

 { "security.ssl3.ecdhe_rsa_aes_256_sha",
   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, true },