From 3b70762534d82b9dc0bc59934327e981f032e69f Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 20 Jul 2017 14:11:42 +0200 Subject: Add Camellia to the active cipher suites. Issue #4 point 1. Camellia is a strong, modern, safe cipher with no known weaknesses or reduced strength attacks. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. --- security/manager/ssl/nsNSSComponent.cpp | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'security/manager') diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index d53f846ed..b46e69cbc 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -1347,9 +1347,13 @@ static const CipherPref sCipherPrefs[] = { { "security.ssl3.dhe_rsa_aes_128_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, true }, + { "security.ssl3.dhe_rsa_camellia_256_sha", + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, true}, { "security.ssl3.dhe_rsa_aes_256_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, true }, + { "security.ssl3.dhe_rsa_camellia_128_sha", + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, true }, { "security.tls13.aes_128_gcm_sha256", TLS_AES_128_GCM_SHA256, true }, { "security.tls13.chacha20_poly1305_sha256", @@ -1357,6 +1361,10 @@ static const CipherPref sCipherPrefs[] = { { "security.tls13.aes_256_gcm_sha384", TLS_AES_256_GCM_SHA384, true }, + {"security.ssl3.rsa_camellia_128_sha", + TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, true }, + {"security.ssl3.rsa_camellia_256_sha", + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, true }, { "security.ssl3.rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, true }, // deprecated (RSA key exchange) { "security.ssl3.rsa_aes_256_sha", -- cgit v1.2.3 From acaf15453c3c00b2fa387239ae854736383134db Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 20 Jul 2017 14:17:40 +0200 Subject: Add RSA-AES + SHA256/384 suites for web compatibility. Sites with these ciphers (commonly IIS) would otherwise fall back to weak 3DES that will be disabled by default. Issue #4 points 2 and 3 --- security/manager/ssl/nsNSSComponent.cpp | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'security/manager') diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index b46e69cbc..89b33b7c2 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -1361,6 +1361,10 @@ static const CipherPref sCipherPrefs[] = { { "security.tls13.aes_256_gcm_sha384", TLS_AES_256_GCM_SHA384, true }, + { "security.ssl3.rsa_aes_256_gcm_sha384", + TLS_RSA_WITH_AES_256_GCM_SHA384, true }, + { "security.ssl3.rsa_aes_256_sha256", + TLS_RSA_WITH_AES_256_CBC_SHA256, true }, {"security.ssl3.rsa_camellia_128_sha", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, true }, {"security.ssl3.rsa_camellia_256_sha", @@ -1369,6 +1373,10 @@ static const CipherPref sCipherPrefs[] = { TLS_RSA_WITH_AES_128_CBC_SHA, true }, // deprecated (RSA key exchange) { "security.ssl3.rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, true }, // deprecated (RSA key exchange) + { "security.ssl3.rsa_aes_128_gcm_sha256", + TLS_RSA_WITH_AES_128_GCM_SHA256, false }, // Deprecated + { "security.ssl3.rsa_aes_128_sha256", + TLS_RSA_WITH_AES_128_CBC_SHA256, false }, // Deprecated { "security.ssl3.rsa_des_ede3_sha", TLS_RSA_WITH_3DES_EDE_CBC_SHA, true }, // deprecated (RSA key exchange, 3DES) -- cgit v1.2.3 From d98565a287341f86f07eafac47ce076b51cd94f4 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 20 Jul 2017 14:19:54 +0200 Subject: Disable 3DES cipher by default + re-order a few things. Issue #4 point 4 --- security/manager/ssl/nsNSSComponent.cpp | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'security/manager') diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index 89b33b7c2..1bcdcc1b0 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -1344,9 +1344,6 @@ static const CipherPref sCipherPrefs[] = { { "security.ssl3.ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, true }, - { "security.ssl3.dhe_rsa_aes_128_sha", - TLS_DHE_RSA_WITH_AES_128_CBC_SHA, true }, - { "security.ssl3.dhe_rsa_camellia_256_sha", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, true}, { "security.ssl3.dhe_rsa_aes_256_sha", @@ -1354,6 +1351,9 @@ static const CipherPref sCipherPrefs[] = { { "security.ssl3.dhe_rsa_camellia_128_sha", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, true }, + { "security.ssl3.dhe_rsa_aes_128_sha", + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, true }, + { "security.tls13.aes_128_gcm_sha256", TLS_AES_128_GCM_SHA256, true }, { "security.tls13.chacha20_poly1305_sha256", @@ -1361,6 +1361,7 @@ static const CipherPref sCipherPrefs[] = { { "security.tls13.aes_256_gcm_sha384", TLS_AES_256_GCM_SHA384, true }, + // Deprecated (RSA key exchange): { "security.ssl3.rsa_aes_256_gcm_sha384", TLS_RSA_WITH_AES_256_GCM_SHA384, true }, { "security.ssl3.rsa_aes_256_sha256", @@ -1370,15 +1371,17 @@ static const CipherPref sCipherPrefs[] = { {"security.ssl3.rsa_camellia_256_sha", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, true }, { "security.ssl3.rsa_aes_128_sha", - TLS_RSA_WITH_AES_128_CBC_SHA, true }, // deprecated (RSA key exchange) + TLS_RSA_WITH_AES_128_CBC_SHA, true }, { "security.ssl3.rsa_aes_256_sha", - TLS_RSA_WITH_AES_256_CBC_SHA, true }, // deprecated (RSA key exchange) + TLS_RSA_WITH_AES_256_CBC_SHA, true }, + +// Expensive/deprecated/weak { "security.ssl3.rsa_aes_128_gcm_sha256", TLS_RSA_WITH_AES_128_GCM_SHA256, false }, // Deprecated { "security.ssl3.rsa_aes_128_sha256", TLS_RSA_WITH_AES_128_CBC_SHA256, false }, // Deprecated { "security.ssl3.rsa_des_ede3_sha", - TLS_RSA_WITH_3DES_EDE_CBC_SHA, true }, // deprecated (RSA key exchange, 3DES) + TLS_RSA_WITH_3DES_EDE_CBC_SHA, false }, // Weak (3DES) // All the rest are disabled -- cgit v1.2.3