|
 |
77fff82 |
# HG changeset patch
|
|
|
77fff82 |
# User Franziskus Kiefer <franziskuskiefer@gmail.com>
|
|
|
77fff82 |
# Date 1469717280 -7200
|
|
|
77fff82 |
# Thu Jul 28 16:48:00 2016 +0200
|
|
|
77fff82 |
# Node ID 95aa61f1e3562e526bf88179d9d078fd90ad1bda
|
|
|
77fff82 |
# Parent d42aacfe34af25e2f5110e2ca3d24a210eabeb33
|
|
|
77fff82 |
Update keybits in H2, r=mt
|
|
|
77fff82 |
|
|
|
77fff82 |
MozReview-Commit-ID: 35oWoDMqe1Y
|
|
|
77fff82 |
|
|
|
77fff82 |
diff --git a/netwerk/protocol/http/Http2Session.cpp b/netwerk/protocol/http/Http2Session.cpp
|
|
|
77fff82 |
--- a/netwerk/protocol/http/Http2Session.cpp
|
|
|
77fff82 |
+++ b/netwerk/protocol/http/Http2Session.cpp
|
|
|
77fff82 |
@@ -3544,18 +3544,18 @@ Http2Session::ConfirmTLSProfile()
|
|
|
77fff82 |
RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
|
|
|
77fff82 |
}
|
|
|
77fff82 |
|
|
|
77fff82 |
uint32_t keybits = ssl->GetKEAKeyBits();
|
|
|
77fff82 |
if (kea == ssl_kea_dh && keybits < 2048) {
|
|
|
77fff82 |
LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to DH %d < 2048\n",
|
|
|
77fff82 |
this, keybits));
|
|
|
77fff82 |
RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
|
|
|
77fff82 |
- } else if (kea == ssl_kea_ecdh && keybits < 256) { // 256 bits is "security level" of 128
|
|
|
77fff82 |
- LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 256\n",
|
|
|
77fff82 |
+ } else if (kea == ssl_kea_ecdh && keybits < 224) { // see rfc7540 9.2.1.
|
|
|
77fff82 |
+ LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 224\n",
|
|
|
77fff82 |
this, keybits));
|
|
|
77fff82 |
RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
|
|
|
77fff82 |
}
|
|
|
77fff82 |
|
|
|
77fff82 |
int16_t macAlgorithm = ssl->GetMACAlgorithmUsed();
|
|
|
77fff82 |
LOG3(("Http2Session::ConfirmTLSProfile %p MAC Algortihm (aead==6) %d\n",
|
|
|
77fff82 |
this, macAlgorithm));
|
|
|
77fff82 |
if (macAlgorithm != nsISSLSocketControl::SSL_MAC_AEAD) {
|