Index: net/third_party/nss/ssl/sslsock.c |
=================================================================== |
--- net/third_party/nss/ssl/sslsock.c (revision 199250) |
+++ net/third_party/nss/ssl/sslsock.c (working copy) |
@@ -18,6 +18,7 @@ |
#ifndef NO_PKCS11_BYPASS |
#include "blapi.h" |
#endif |
+#include "pk11pub.h" |
#include "nss.h" |
#define SET_ERROR_CODE /* reminder */ |
@@ -782,6 +783,16 @@ |
rv = SECFailure; |
} else { |
if (PR_FALSE != on) { |
+ /* TLS 1.2 isn't supported in bypass mode. */ |
+ if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { |
+ /* If the user requested a minimum version of TLS 1.2 then |
+ * we don't silently downgrade. */ |
+ PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
+ rv = SECFailure; |
+ } |
+ if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) { |
+ ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; |
+ } |
if (PR_SUCCESS == SSL_BypassSetup() ) { |
#ifdef NO_PKCS11_BYPASS |
ss->opt.bypassPKCS11 = PR_FALSE; |
@@ -1915,6 +1926,22 @@ |
ssl_GetSSL3HandshakeLock(ss); |
ss->vrange = *vrange; |
+ /* If we don't have a sufficiently up-to-date library then we cannot do TLS |
+ * 1.2. */ |
+ if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2 && |
+ !PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256)) { |
+ /* If the user requested a minimum version of 1.2, then we don't |
+ * silently downgrade. */ |
+ if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { |
+ PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); |
+ return SECFailure; |
+ } |
+ ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; |
+ } |
+ /* PKCS#11 bypass is not supported with TLS 1.2. */ |
+ if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) { |
+ ss->opt.bypassPKCS11 = PR_FALSE; |
+ } |
ssl_ReleaseSSL3HandshakeLock(ss); |
ssl_Release1stHandshakeLock(ss); |