diff --git a/netwerk/base/public/security-prefs.js b/netwerk/base/public/security-prefs.js --- a/netwerk/base/public/security-prefs.js +++ b/netwerk/base/public/security-prefs.js @@ -1,14 +1,14 @@ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ pref("security.tls.version.min", 0); -pref("security.tls.version.max", 1); +pref("security.tls.version.max", 2); pref("security.enable_tls_session_tickets", true); pref("security.enable_md5_signatures", false); pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", false); pref("security.ssl.renego_unrestricted_hosts", ""); pref("security.ssl.treat_unsafe_negotiation_as_broken", false); pref("security.ssl.require_safe_negotiation", false); pref("security.ssl.warn_missing_rfc5746", 1); diff --git a/security/manager/ssl/src/nsNSSComponent.cpp b/security/manager/ssl/src/nsNSSComponent.cpp --- a/security/manager/ssl/src/nsNSSComponent.cpp +++ b/security/manager/ssl/src/nsNSSComponent.cpp @@ -963,24 +963,25 @@ void nsNSSComponent::setValidationOption /* * The new defaults might change the validity of already established SSL sessions, * let's not reuse them. */ SSL_ClearSessionCache(); } -// Enable the TLS versions given in the prefs, defaulting to SSL 3.0 and -// TLS 1.0 when the prefs aren't set or when they are set to invalid values. +// Enable the TLS versions given in the prefs, defaulting to SSL 3.0 (min +// version) and TLS 1.1 (max version) when the prefs aren't set or set to +// invalid values. nsresult nsNSSComponent::setEnabledTLSVersions(nsIPrefBranch * prefBranch) { - // keep these values in sync with security-prefs.js and firefox.js + // keep these values in sync with security-prefs.js static const int32_t PSM_DEFAULT_MIN_TLS_VERSION = 0; - static const int32_t PSM_DEFAULT_MAX_TLS_VERSION = 1; + static const int32_t PSM_DEFAULT_MAX_TLS_VERSION = 2; int32_t minVersion = PSM_DEFAULT_MIN_TLS_VERSION; int32_t maxVersion = PSM_DEFAULT_MAX_TLS_VERSION; mPrefBranch->GetIntPref("security.tls.version.min", &minVersion); mPrefBranch->GetIntPref("security.tls.version.max", &maxVersion); // 0 means SSL 3.0, 1 means TLS 1.0, 2 means TLS 1.1, etc. minVersion += SSL_LIBRARY_VERSION_3_0;