Reland 125571 - Turn off TLS_RSA_WITH_RC4_128_MD5.

Although HMAC-MD5 is still considered secure, it is an eyesore to
people who audit the use of MD5. Enabling TLS_RSA_WITH_RC4_128_SHA
is enough.

R=rsleevi@chromium.org
BUG=none
TEST=none

Review URL: http://codereview.chromium.org/9666016

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@125973 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 4 insertions, 1 deletions

diff --git a/net/socket/nss_ssl_util.cc b/net/socket/nss_ssl_util.cc
index f4dc8be..84d185e 100644
--- a/net/socket/nss_ssl_util.cc
+++ b/net/socket/nss_ssl_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -8,6 +8,7 @@
 #include <secerr.h>
 #include <ssl.h>
 #include <sslerr.h>
+#include <sslproto.h>
 
 #include <string>
 
@@ -47,6 +48,7 @@ class NSSSSLInitSingleton {
 #endif
 
     // Explicitly enable exactly those ciphers with keys of at least 80 bits
+    // except TLS_RSA_WITH_RC4_128_MD5.
     for (int i = 0; i < SSL_NumImplementedCiphers; i++) {
       SSLCipherSuiteInfo info;
       if (SSL_GetCipherSuiteInfo(pSSL_ImplementedCiphers[i], &info,
@@ -55,6 +57,7 @@ class NSSSSLInitSingleton {
                                  (info.effectiveKeyBits >= 80));
       }
     }
+    SSL_CipherPrefSetDefault(SSL_RSA_WITH_RC4_128_MD5, PR_FALSE);
 
     // Enable SSL.
     SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);