wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 1109766: Require AES-GCM for TLS False Start, r=keeler

Browse Source 
--HG--
extra : rebase_source : 8370c628863e644131ed1fbe6b8e49b5dc1215dc
This commit is contained in:
Brian Smith 2014-12-10 10:19:00 -08:00
parent 5c47242dce
commit a0b84fea0a
1 changed files with 4 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
security/manager/ssl/src/nsNSSCallbacks.cpp
View File

@ -1008,16 +1008,10 @@ CanFalseStartCallback(PRFileDesc* fd, void* client_data, PRBool *canFalseStart)
} }
} }
// Prevent downgrade attacks on the symmetric cipher. We accept downgrades // Prevent downgrade attacks on the symmetric cipher. We do not allow CBC
// from 256-bit keys to 128-bit keys and we treat AES and Camellia as being // mode due to BEAST, POODLE, and other attacks on the MAC-then-Encrypt
// equally secure. We consider every message authentication mechanism that we // design. See bug 1109766 for more details.
// support *for these ciphers* to be equally-secure. We assume that for CBC if (cipherInfo.symCipher != ssl_calg_aes_gcm) {
// mode, that the server has implemented all the same mitigations for
// published attacks that we have, or that those attacks are not relevant in
// the decision to false start.
if (cipherInfo.symCipher != ssl_calg_aes_gcm &&
cipherInfo.symCipher != ssl_calg_aes &&
cipherInfo.symCipher != ssl_calg_camellia) {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
("CanFalseStartCallback [%p] failed - Symmetric cipher used, %d, " ("CanFalseStartCallback [%p] failed - Symmetric cipher used, %d, "
"is not supported with False Start.\n", fd, "is not supported with False Start.\n", fd,