From 5fdcdf66d0883e9c1a328e6ca6b345f89b28b237 Mon Sep 17 00:00:00 2001 From: Joachim Bauch Date: Thu, 21 May 2015 18:06:19 +0200 Subject: [PATCH] Enable ciphers to get ECDHE with NSS. With this change, DTLS 1.0 uses "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", DTLS 1.2 uses "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256". BUG=chromium:428343 R=juberti@google.com Review URL: https://webrtc-codereview.appspot.com/52549004 Cr-Commit-Position: refs/heads/master@{#9255} --- webrtc/base/nssstreamadapter.cc | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/webrtc/base/nssstreamadapter.cc b/webrtc/base/nssstreamadapter.cc index de6da81efd..9cebddace7 100644 --- a/webrtc/base/nssstreamadapter.cc +++ b/webrtc/base/nssstreamadapter.cc @@ -66,10 +66,18 @@ static const SrtpCipherMapEntry kSrtpCipherMap[] = { }; #endif +// Ciphers to enable to get ECDHE encryption with endpoints that support it. +static const uint32_t kEnabledCiphers[] = { + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, +}; + // Default cipher used between NSS stream adapters. // This needs to be updated when the default of the SSL library changes. -static const char kDefaultSslCipher10[] = "TLS_RSA_WITH_AES_128_CBC_SHA"; -static const char kDefaultSslCipher12[] = "TLS_RSA_WITH_AES_128_GCM_SHA256"; +static const char kDefaultSslCipher10[] = + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"; +static const char kDefaultSslCipher12[] = + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; // Implementation of NSPR methods @@ -549,6 +557,15 @@ int NSSStreamAdapter::BeginSSL() { } #endif + // Enable additional ciphers. + for (size_t i = 0; i < ARRAY_SIZE(kEnabledCiphers); i++) { + rv = SSL_CipherPrefSet(ssl_fd_, kEnabledCiphers[i], PR_TRUE); + if (rv != SECSuccess) { + Error("BeginSSL", -1, false); + return -1; + } + } + // Certificate validation rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook, this); if (rv != SECSuccess) {