blob: 92c1376aeb87ddff868bb62037c41c6feaeb6fef (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
# HG changeset patch
# User Franziskus Kiefer <franziskuskiefer@gmail.com>
# Date 1469717280 -7200
# Node ID 361ac226da2a83516db8d4e4c5b41a69b3ba754f
# Parent 5d5d3ef04f3f77bb95616f56c129256a89f57831
Bug 1290037 - Update keybits in H2, r=mt
MozReview-Commit-ID: 35oWoDMqe1Y
diff --git a/netwerk/protocol/http/Http2Session.cpp b/netwerk/protocol/http/Http2Session.cpp
--- a/netwerk/protocol/http/Http2Session.cpp
+++ b/netwerk/protocol/http/Http2Session.cpp
@@ -3544,18 +3544,18 @@ Http2Session::ConfirmTLSProfile()
RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
}
uint32_t keybits = ssl->GetKEAKeyBits();
if (kea == ssl_kea_dh && keybits < 2048) {
LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to DH %d < 2048\n",
this, keybits));
RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
- } else if (kea == ssl_kea_ecdh && keybits < 256) { // 256 bits is "security level" of 128
- LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 256\n",
+ } else if (kea == ssl_kea_ecdh && keybits < 224) { // see rfc7540 9.2.1.
+ LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 224\n",
this, keybits));
RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
}
int16_t macAlgorithm = ssl->GetMACAlgorithmUsed();
LOG3(("Http2Session::ConfirmTLSProfile %p MAC Algortihm (aead==6) %d\n",
this, macAlgorithm));
if (macAlgorithm != nsISSLSocketControl::SSL_MAC_AEAD) {
|