diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-10 17:35:49 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-10 17:35:49 +0000 |
| commit | 8342677414b8463ece6cb6f5c749e0ca1d2953df (patch) | |
| tree | e8d040623d4435badfd6efcd73daee6e4e7e9167 | |
| parent | 75f9d4019c7d9f9f501b7125a36a840d773c1d84 (diff) | |
| download | chromium_src-8342677414b8463ece6cb6f5c749e0ca1d2953df.zip chromium_src-8342677414b8463ece6cb6f5c749e0ca1d2953df.tar.gz chromium_src-8342677414b8463ece6cb6f5c749e0ca1d2953df.tar.bz2 | |
List TLS_DHE_RSA_WITH_AES_256_CBC_SHA after
TLS_RSA_WITH_AES_256_CBC_SHA in ClientHello so that we
communicate securely with some servers that use 256-bit
DH keys.
The proper fix is to upgrade to NSS 3.12.7 to pick up
the DH key size checks. This is just a workaround.
R=agl
BUG=51694
TEST=none
Review URL: http://codereview.chromium.org/3118002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@55580 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | net/third_party/nss/README.chromium | 8 | ||||
| -rw-r--r-- | net/third_party/nss/patches/deprioritizedhe.patch | 58 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/ssl3con.c | 2 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/sslenum.c | 2 |
4 files changed, 68 insertions, 2 deletions
diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium index b1141fe..0159106 100644 --- a/net/third_party/nss/README.chromium +++ b/net/third_party/nss/README.chromium @@ -28,5 +28,13 @@ Patches: they're available when we resume a session. patches/cachecerts.patch + * List TLS_DHE_RSA_WITH_AES_256_CBC_SHA after TLS_RSA_WITH_AES_256_CBC_SHA + in ClientHello to communicate securely with some servers that use + 256-bit DH keys. Remove this patch when we upgrade to NSS 3.12.7, + which rejects DH keys shorter than 512 bits. + patches/deprioritizedhe.patch + http://crbug.com/51694 + https://bugzilla.mozilla.org/show_bug.cgi?id=583337 + The ssl/bodge directory contains files taken from the NSS repo that we required for building libssl outside of its usual build environment. diff --git a/net/third_party/nss/patches/deprioritizedhe.patch b/net/third_party/nss/patches/deprioritizedhe.patch new file mode 100644 index 0000000..8784015 --- /dev/null +++ b/net/third_party/nss/patches/deprioritizedhe.patch @@ -0,0 +1,58 @@ +diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c +--- a/security/nss/lib/ssl/ssl3con.c ++++ b/security/nss/lib/ssl/ssl3con.c +@@ -106,24 +106,24 @@ static SECStatus Null_Cipher(void *ctx, + static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { + /* cipher_suite policy enabled is_present*/ + #ifdef NSS_ENABLE_ECC + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + #endif /* NSS_ENABLE_ECC */ + { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, +- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + #ifdef NSS_ENABLE_ECC + { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + #endif /* NSS_ENABLE_ECC */ + { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, ++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + + #ifdef NSS_ENABLE_ECC + { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + #endif /* NSS_ENABLE_ECC */ + { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, +diff --git a/security/nss/lib/ssl/sslenum.c b/security/nss/lib/ssl/sslenum.c +--- a/security/nss/lib/ssl/sslenum.c ++++ b/security/nss/lib/ssl/sslenum.c +@@ -61,24 +61,24 @@ + const PRUint16 SSL_ImplementedCiphers[] = { + /* 256-bit */ + #ifdef NSS_ENABLE_ECC + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + #endif /* NSS_ENABLE_ECC */ + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, + TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA, + #ifdef NSS_ENABLE_ECC + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, + #endif /* NSS_ENABLE_ECC */ + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA, ++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, + + /* 128-bit */ + #ifdef NSS_ENABLE_ECC + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_RC4_128_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + #endif /* NSS_ENABLE_ECC */ diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c index e4189b0..5b194a6 100644 --- a/net/third_party/nss/ssl/ssl3con.c +++ b/net/third_party/nss/ssl/ssl3con.c @@ -110,7 +110,6 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { #endif /* NSS_ENABLE_ECC */ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, #ifdef NSS_ENABLE_ECC { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, @@ -118,6 +117,7 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { #endif /* NSS_ENABLE_ECC */ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, #ifdef NSS_ENABLE_ECC { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, diff --git a/net/third_party/nss/ssl/sslenum.c b/net/third_party/nss/ssl/sslenum.c index b8aa8cc..a70a728 100644 --- a/net/third_party/nss/ssl/sslenum.c +++ b/net/third_party/nss/ssl/sslenum.c @@ -66,7 +66,6 @@ const PRUint16 SSL_ImplementedCiphers[] = { #endif /* NSS_ENABLE_ECC */ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, - TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, #ifdef NSS_ENABLE_ECC TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, @@ -74,6 +73,7 @@ const PRUint16 SSL_ImplementedCiphers[] = { #endif /* NSS_ENABLE_ECC */ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA, /* 128-bit */ #ifdef NSS_ENABLE_ECC |