mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 1247250 - Enable TLS 1.3 draft 11 anti-downgrade on non-secure fallback. r=keeler
This commit is contained in:
parent
4344d28e17
commit
e1c41da56e
1
config/external/nss/nss.symbols
vendored
1
config/external/nss/nss.symbols
vendored
@ -673,6 +673,7 @@ SSL_PeerCertificateChain
|
|||||||
SSL_PeerStapledOCSPResponses
|
SSL_PeerStapledOCSPResponses
|
||||||
SSL_ResetHandshake
|
SSL_ResetHandshake
|
||||||
SSL_SetCanFalseStartCallback
|
SSL_SetCanFalseStartCallback
|
||||||
|
SSL_SetDowngradeCheckVersion
|
||||||
SSL_SetNextProtoNego
|
SSL_SetNextProtoNego
|
||||||
SSL_SetPKCS11PinArg
|
SSL_SetPKCS11PinArg
|
||||||
SSL_SetSockPeerID
|
SSL_SetSockPeerID
|
||||||
|
@ -1078,7 +1078,10 @@ retryDueToTLSIntolerance(PRErrorCode err, nsNSSSocketInfo* socketInfo)
|
|||||||
nsIWebProgressListener::STATE_USES_SSL_3);
|
nsIWebProgressListener::STATE_USES_SSL_3);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (err == SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT) {
|
// NSS will return SSL_ERROR_RX_MALFORMED_SERVER_HELLO if TLS 1.3
|
||||||
|
// anti-downgrade detected the downgrade.
|
||||||
|
if (err == SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT ||
|
||||||
|
err == SSL_ERROR_RX_MALFORMED_SERVER_HELLO) {
|
||||||
// This is a clear signal that we've fallen back too many versions. Treat
|
// This is a clear signal that we've fallen back too many versions. Treat
|
||||||
// this as a hard failure, but forget any intolerance so that later attempts
|
// this as a hard failure, but forget any intolerance so that later attempts
|
||||||
// don't use this version (i.e., range.max) and trigger the error again.
|
// don't use this version (i.e., range.max) and trigger the error again.
|
||||||
@ -2555,6 +2558,11 @@ nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS,
|
|||||||
if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_FALLBACK_SCSV, true)) {
|
if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_FALLBACK_SCSV, true)) {
|
||||||
return NS_ERROR_FAILURE;
|
return NS_ERROR_FAILURE;
|
||||||
}
|
}
|
||||||
|
// tell NSS to enable the max enabled version to make TLS 1.3
|
||||||
|
// anti-downgrade effective
|
||||||
|
if (SECSuccess != SSL_SetDowngradeCheckVersion(fd, maxEnabledVersion)) {
|
||||||
|
return NS_ERROR_FAILURE;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
bool enabled = infoObject->SharedState().IsOCSPStaplingEnabled();
|
bool enabled = infoObject->SharedState().IsOCSPStaplingEnabled();
|
||||||
|
Loading…
Reference in New Issue
Block a user