Bug #10822: Introduce a pref to disable SSL session tracking

The pref, "security.disable_session_identifiers", disables both SSL3 session IDs and TLS session tracking. To be proposed for https://bugzilla.mozilla.org/show_bug.cgi?id=967977
arthuredelstein · Sep 3, 2014 · 272c9d70081b734692a9a42cf8621f1e05e43a31 · 272c9d7
1 parent cf81b21
commit 272c9d70081b734692a9a42cf8621f1e05e43a31
Showing with 16 additions and 1 deletion.

+4 −0 netwerk/base/public/security-prefs.js

+12 −1 security/manager/ssl/src/nsNSSComponent.cpp
diff --git a/netwerk/base/public/security-prefs.js b/netwerk/base/public/security-prefs.js
@@ -56,3 +56,7 @@ pref("security.OCSP.require", false);
 pref("security.OCSP.GET.enabled", false);
 
 pref("security.use_mozillapkix_verification", true);
+
+// If set to true, disables sending SSL3 Session IDs and TLS Session Tickets,
+// to prevent session tracking:
+pref("security.disable_session_identifiers", false);
diff --git a/security/manager/ssl/src/nsNSSComponent.cpp b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -858,6 +858,7 @@ static const bool FALSE_START_ENABLED_DEFAULT = true;
 static const bool NPN_ENABLED_DEFAULT = true;
 static const bool ALPN_ENABLED_DEFAULT = false;
 static const bool SECURITY_NOCERTDB_DEFAULT = false;
+static const bool DISABLE_SESSION_IDENTIFIERS_DEFAULT = false;
 
 namespace {
 
@@ -1194,7 +1195,11 @@ nsNSSComponent::InitializeNSS()
   InitCertVerifierLog();
   LoadLoadableRoots();
 
-  SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, true);
+  bool disableSessionIdentifiers =
+    Preferences::GetBool("security.disable_session_identifiers",
+                         DISABLE_SESSION_IDENTIFIERS_DEFAULT);
+  SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, !disableSessionIdentifiers);
+  SSL_OptionSetDefault(SSL_NO_CACHE, disableSessionIdentifiers);
 
   bool requireSafeNegotiation =
     Preferences::GetBool("security.ssl.require_safe_negotiation",
@@ -1600,6 +1605,12 @@ nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic,
     if (prefName.Equals("security.tls.version.min") ||
         prefName.Equals("security.tls.version.max")) {
       (void) setEnabledTLSVersions();
+    } else if (prefName.Equals("security.disable_session_identifiers")) {
+      bool disableSessionIdentifiers =
+        Preferences::GetBool("security.disable_session_identifiers",
+                             DISABLE_SESSION_IDENTIFIERS_DEFAULT);
+      SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, !disableSessionIdentifiers);
+      SSL_OptionSetDefault(SSL_NO_CACHE, disableSessionIdentifiers);
     } else if (prefName.Equals("security.ssl.require_safe_negotiation")) {
       bool requireSafeNegotiation =
         Preferences::GetBool("security.ssl.require_safe_negotiation",