summarylogtreecommitdiffstats
path: root/update_keybits_in_H2.patch
diff options
context:
space:
mode:
Diffstat (limited to 'update_keybits_in_H2.patch')
-rw-r--r--update_keybits_in_H2.patch29
1 files changed, 29 insertions, 0 deletions
diff --git a/update_keybits_in_H2.patch b/update_keybits_in_H2.patch
new file mode 100644
index 000000000000..a16ba44af79c
--- /dev/null
+++ b/update_keybits_in_H2.patch
@@ -0,0 +1,29 @@
+
+diff --git a/netwerk/protocol/http/Http2Session.cpp b/netwerk/protocol/http/Http2Session.cpp
+--- a/netwerk/protocol/http/Http2Session.cpp
++++ b/netwerk/protocol/http/Http2Session.cpp
+@@ -3516,18 +3516,18 @@ Http2Session::ConfirmTLSProfile()
+ RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
+ }
+
+ uint32_t keybits = ssl->GetKEAKeyBits();
+ if (kea == ssl_kea_dh && keybits < 2048) {
+ LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to DH %d < 2048\n",
+ this, keybits));
+ RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
+- } else if (kea == ssl_kea_ecdh && keybits < 256) { // 256 bits is "security level" of 128
+- LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 256\n",
++ } else if (kea == ssl_kea_ecdh && keybits < 224) { // see rfc7540 9.2.1.
++ LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 224\n",
+ this, keybits));
+ RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
+ }
+
+ int16_t macAlgorithm = ssl->GetMACAlgorithmUsed();
+ LOG3(("Http2Session::ConfirmTLSProfile %p MAC Algortihm (aead==6) %d\n",
+ this, macAlgorithm));
+ if (macAlgorithm != nsISSLSocketControl::SSL_MAC_AEAD) {
+
+
+
+