diff options
| author | bors-servo <lbergstrom+bors@mozilla.com> | 2018-12-22 01:07:01 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-12-22 01:07:01 -0500 |
| commit | 0fcc9b4ec7f320de893ea25d8ee45e575619e2ce (patch) | |
| tree | 527d57e2d67dfe71e97b1e1dbf4571a742cc27f4 /components/net | |
| parent | 9caf215beb53165e3f411a15bf7e4b2922ff22ae (diff) | |
| parent | 027154ecf0beb544be271329e01d447ba49781f6 (diff) | |
| download | servo-0fcc9b4ec7f320de893ea25d8ee45e575619e2ce.tar.gz servo-0fcc9b4ec7f320de893ea25d8ee45e575619e2ce.zip | |
Auto merge of #22243 - Darkspirit:cipherlist_cleanup, r=avadacatavra
Cleanup of default ciphersuite list
* don't offer DHE ciphersuites like Chrome (Firefox is in [progress](https://www.fxsitecompat.com/en-CA/docs/2018/dhe-cipher-suites-are-no-longer-supported-in-webrtc/) of deprecating DHE as well)
* don't offer AES-CBC-SHA2 like Firefox and Chrome
* don't offer AES-GCM for plain RSA like Firefox
* don't offer ECDSA with AES-CBC like Chrome
* don't offer weak DES-CBC3-SHA
* prefer AES256 over AES128 like [Mozilla Modern](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility), Safari and Edge
(The last line of cipher suites would be removed in the future when Servo deprecates TLS 1.0/1.1 and switches to Rustls.)
You can compare Firefox and Chrome with https://www.ssllabs.com/ssltest/viewMyClient.html.
---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: -->
- [x] `./mach build -d` does not report any errors
- [x] `./mach test-tidy` does not report any errors
<!-- Reviewable:start -->
---
This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/22243)
<!-- Reviewable:end -->
Diffstat (limited to 'components/net')
| -rw-r--r-- | components/net/connector.rs | 13 |
1 files changed, 3 insertions, 10 deletions
diff --git a/components/net/connector.rs b/components/net/connector.rs index 44166bf92a9..c93f82df5e2 100644 --- a/components/net/connector.rs +++ b/components/net/connector.rs @@ -201,18 +201,11 @@ where .build(connector) } -// The basic logic here is to prefer ciphers with ECDSA certificates, Forward -// Secrecy, AES GCM ciphers, AES ciphers, and finally 3DES ciphers. +// Prefer Forward Secrecy over plain RSA, AES-GCM over AES-CBC, ECDSA over RSA. // A complete discussion of the issues involved in TLS configuration can be found here: // https://wiki.mozilla.org/Security/Server_Side_TLS const DEFAULT_CIPHERS: &'static str = concat!( - "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:", "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:", - "DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:", - "ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:", - "ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:", - "ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:", - "DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:", - "ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:", - "AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA" + "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:", + "ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA" ); |