Commit e19be605 authored by Arthur Edelstein's avatar Arthur Edelstein Committed by Mike Perry
Browse files

Bug #10822: Introduce a pref to disable SSL session tracking 

The pref, "security.disable_session_identifiers", disables both SSL3
session IDs and TLS session tracking. To be proposed for
https://bugzilla.mozilla.org/show_bug.cgi?id=967977
parent e0fc941d

netwerk/base/public/security-prefs.js

+4 −0
Original line number Diff line number Diff line
@@ -56,3 +56,7 @@ pref("security.OCSP.require", false); 
pref("security.OCSP.GET.enabled", false);



pref("security.use_mozillapkix_verification", true);



// If set to true, disables sending SSL3 Session IDs and TLS Session Tickets,

// to prevent session tracking:

pref("security.ssl.disable_session_identifiers", false);

security/manager/ssl/src/nsNSSComponent.cpp

+12 −1
Original line number Diff line number Diff line
@@ -858,6 +858,7 @@ static const bool FALSE_START_ENABLED_DEFAULT = true; 
static const bool NPN_ENABLED_DEFAULT = true;

static const bool ALPN_ENABLED_DEFAULT = false;

static const bool SECURITY_NOCERTDB_DEFAULT = false;

static const bool DISABLE_SESSION_IDENTIFIERS_DEFAULT = false;



namespace {
@@ -1193,7 +1194,11 @@ nsNSSComponent::InitializeNSS() 
  InitCertVerifierLog();

  LoadLoadableRoots();



  SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, true);

  bool disableSessionIdentifiers =

    Preferences::GetBool("security.ssl.disable_session_identifiers",

                         DISABLE_SESSION_IDENTIFIERS_DEFAULT);

  SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, !disableSessionIdentifiers);

  SSL_OptionSetDefault(SSL_NO_CACHE, disableSessionIdentifiers);



  bool requireSafeNegotiation =

    Preferences::GetBool("security.ssl.require_safe_negotiation",
@@ -1599,6 +1604,12 @@ nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic, 
    if (prefName.Equals("security.tls.version.min") ||

        prefName.Equals("security.tls.version.max")) {

      (void) setEnabledTLSVersions();

    } else if (prefName.Equals("security.ssl.disable_session_identifiers")) {

      bool disableSessionIdentifiers =

        Preferences::GetBool("security.ssl.disable_session_identifiers",

                             DISABLE_SESSION_IDENTIFIERS_DEFAULT);

      SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, !disableSessionIdentifiers);

      SSL_OptionSetDefault(SSL_NO_CACHE, disableSessionIdentifiers);

    } else if (prefName.Equals("security.ssl.require_safe_negotiation")) {

      bool requireSafeNegotiation =

        Preferences::GetBool("security.ssl.require_safe_negotiation",