Add RSA-AES + SHA256/384 suites for web compatibility.

Sites with these ciphers (commonly IIS) would otherwise fall back to weak 3DES that will be disabled by default. Issue #4 points 2 and 3
roytam1 · Feb 14, 2019 · 05d35d3 · 05d35d3
1 parent 3ecea69
commit 05d35d3
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/netwerk/base/security-prefs.js b/netwerk/base/security-prefs.js
@@ -31,11 +31,15 @@ pref("security.ssl3.dhe_rsa_aes_128_sha", true);
 pref("security.ssl3.dhe_rsa_camellia_256_sha", true);
 pref("security.ssl3.dhe_rsa_aes_256_sha", true);
 pref("security.ssl3.dhe_rsa_camellia_128_sha", true);
+pref("security.ssl3.rsa_aes_256_gcm_sha384", true);
+pref("security.ssl3.rsa_aes_256_sha256", true);
 pref("security.ssl3.rsa_camellia_128_sha", true);
 pref("security.ssl3.rsa_camellia_256_sha", true);
 pref("security.ssl3.rsa_aes_128_sha", true);
 pref("security.ssl3.rsa_aes_256_sha", true);
 pref("security.ssl3.rsa_des_ede3_sha", true);
+pref("security.ssl3.rsa_aes_128_gcm_sha256", false);
+pref("security.ssl3.rsa_aes_128_sha256", false);
 
 pref("security.content.signature.root_hash",
      "97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E");

diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp
@@ -1361,6 +1361,10 @@ static const CipherPref sCipherPrefs[] = {
  { "security.tls13.aes_256_gcm_sha384",
    TLS_AES_256_GCM_SHA384, true },
 
+ { "security.ssl3.rsa_aes_256_gcm_sha384",
+   TLS_RSA_WITH_AES_256_GCM_SHA384, true }, 
+ { "security.ssl3.rsa_aes_256_sha256",
+   TLS_RSA_WITH_AES_256_CBC_SHA256, true }, 
  {"security.ssl3.rsa_camellia_128_sha",
    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, true },
  {"security.ssl3.rsa_camellia_256_sha",
@@ -1369,6 +1373,10 @@ static const CipherPref sCipherPrefs[] = {
    TLS_RSA_WITH_AES_128_CBC_SHA, true }, // deprecated (RSA key exchange)
  { "security.ssl3.rsa_aes_256_sha",
    TLS_RSA_WITH_AES_256_CBC_SHA, true }, // deprecated (RSA key exchange)
+ { "security.ssl3.rsa_aes_128_gcm_sha256",
+   TLS_RSA_WITH_AES_128_GCM_SHA256, false }, // Deprecated
+ { "security.ssl3.rsa_aes_128_sha256",
+   TLS_RSA_WITH_AES_128_CBC_SHA256, false }, // Deprecated
  { "security.ssl3.rsa_des_ede3_sha",
    TLS_RSA_WITH_3DES_EDE_CBC_SHA, true }, // deprecated (RSA key exchange, 3DES)