--- a/media/mtransport/transportlayerdtls.cpp
+++ b/media/mtransport/transportlayerdtls.cpp
@@ -448,16 +448,25 @@ TransportLayerDtls::SetVerificationDiges
digests_.push_back(new VerificationDigest(
digest_algorithm, digest_value, digest_len));
verification_mode_ = VERIFY_DIGEST;
return NS_OK;
}
+// These are the named groups that we will allow.
+static const SSLNamedGroup NamedGroupPreferences[] = {
+ ssl_grp_ec_curve25519,
+ ssl_grp_ec_secp256r1,
+ ssl_grp_ec_secp384r1,
+ ssl_grp_ffdhe_2048,
+ ssl_grp_ffdhe_3072
+};
+
// TODO: make sure this is called from STS. Otherwise
// we have thread safety issues
bool TransportLayerDtls::Setup() {
CheckThread();
SECStatus rv;
if (!downward_) {
MOZ_MTLOG(ML_ERROR, "DTLS layer with nothing below. This is useless");
@@ -582,16 +591,23 @@ bool TransportLayerDtls::Setup() {
MOZ_MTLOG(ML_ERROR, "Couldn't disable ECDHE key reuse");
return false;
}
if (!SetupCipherSuites(ssl_fd)) {
return false;
}
+ rv = SSL_NamedGroupConfig(ssl_fd, NamedGroupPreferences,
+ mozilla::ArrayLength(NamedGroupPreferences));
+ if (rv != SECSuccess) {
+ MOZ_MTLOG(ML_ERROR, "Couldn't set named groups");
+ return false;
+ }
+
// Certificate validation
rv = SSL_AuthCertificateHook(ssl_fd, AuthCertificateHook,
reinterpret_cast<void *>(this));
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't set certificate validation hook");
return false;
}
@@ -686,44 +702,36 @@ static const uint32_t DisabledCiphers[]
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS_RSA_WITH_SEED_CBC_SHA,
- SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_RC4_128_MD5,
TLS_DHE_RSA_WITH_DES_CBC_SHA,
TLS_DHE_DSS_WITH_DES_CBC_SHA,
- SSL_RSA_FIPS_WITH_DES_CBC_SHA,
TLS_RSA_WITH_DES_CBC_SHA,
- TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
- TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-
- TLS_RSA_EXPORT_WITH_RC4_40_MD5,
- TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
-
TLS_ECDHE_ECDSA_WITH_NULL_SHA,
TLS_ECDHE_RSA_WITH_NULL_SHA,
TLS_ECDH_ECDSA_WITH_NULL_SHA,
TLS_ECDH_RSA_WITH_NULL_SHA,
-
TLS_RSA_WITH_NULL_SHA,
TLS_RSA_WITH_NULL_SHA256,
TLS_RSA_WITH_NULL_MD5,
};
bool TransportLayerDtls::SetupCipherSuites(PRFileDesc* ssl_fd) const {
SECStatus rv;