Commit b2cd1171 authored by J.C. Jones's avatar J.C. Jones
Browse files

Bug 1562773 - Add a preference to enable Delegated Credentials in NSS r=keeler 

This patch adds a new pref, "security.tls.enable_delegated_credentials",
default false, which controls the NSS option SSL_ENABLE_DELEGATED_CREDENTIALS.

Tests are in D37918.

Differential Revision: https://phabricator.services.mozilla.com/D37907

--HG--
extra : moz-landing-system : lando
parent 2f4cd365

security/manager/ssl/nsNSSComponent.cpp

+12 −0
Original line number Diff line number Diff line
@@ -1004,6 +1004,7 @@ static const bool ALPN_ENABLED_DEFAULT = false; 
static const bool ENABLED_0RTT_DATA_DEFAULT = false;

static const bool HELLO_DOWNGRADE_CHECK_DEFAULT = false;

static const bool ENABLED_POST_HANDSHAKE_AUTH_DEFAULT = false;

static const bool DELEGATED_CREDENTIALS_ENABLED_DEFAULT = false;



static void ConfigureTLSSessionIdentifiers() {

  bool disableSessionIdentifiers =
@@ -1760,6 +1761,11 @@ nsresult nsNSSComponent::InitializeNSS() { 
      Preferences::GetBool("security.tls.enable_post_handshake_auth",

                           ENABLED_POST_HANDSHAKE_AUTH_DEFAULT));



  SSL_OptionSetDefault(

      SSL_ENABLE_DELEGATED_CREDENTIALS,

      Preferences::GetBool("security.tls.enable_delegated_credentials",

                           DELEGATED_CREDENTIALS_ENABLED_DEFAULT));



  rv = InitializeCipherSuite();

  MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv));

  if (NS_FAILED(rv)) {
@@ -1936,6 +1942,12 @@ nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic, 
          SSL_ENABLE_POST_HANDSHAKE_AUTH,

          Preferences::GetBool("security.tls.enable_post_handshake_auth",

                               ENABLED_POST_HANDSHAKE_AUTH_DEFAULT));

    } else if (prefName.EqualsLiteral(

                   "security.tls.enable_delegated_credentials")) {

      SSL_OptionSetDefault(

          SSL_ENABLE_DELEGATED_CREDENTIALS,

          Preferences::GetBool("security.tls.enable_delegated_credentials",

                               DELEGATED_CREDENTIALS_ENABLED_DEFAULT));

    } else if (prefName.EqualsLiteral(

                   "security.ssl.disable_session_identifiers")) {

      ConfigureTLSSessionIdentifiers();

security/manager/ssl/security-prefs.js

+1 −0
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@ pref("security.tls.hello_downgrade_check", false); 
#else

pref("security.tls.hello_downgrade_check", true);

#endif

pref("security.tls.enable_delegated_credentials", false);



pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

pref("security.ssl.require_safe_negotiation",  false);