DescriptionSupport the new TLS 1.2 HMAC-SHA256 cipher suites specified in
RFC 5246 and RFC 5289.
To avoid making ClientHello too big, the new DH_DSS, DH_RSA,
DHE_DSS, DH_anon, ECDH_ECDSA, and ECDH_RSA are not added.
Do not generate client_write_IV and server_write_IV in TLS 1.1+
for CBC block ciphers because 1) they aren't used, and 2) a
buffer in the NSS softoken is not big enough if the HMAC key
is 32 bytes (for HMAC-SHA256) and client_write_IV and
server_write_IV are still generated.
Do not downgrade to TLS 1.1 silently when SSL_BYPASS_PKCS11
mode is requested because we won't be able to test the new
TLS 1.2 only cipher suites in PKCS #11 bypass mode. Instead,
silently turn off PKCS #11 bypass if TLS 1.2 is enabled.
R=agl@chromium.org
BUG=90392
TEST=none (done in NSS upstream)
Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=204467
Patch Set 1 #Patch Set 2 : Additional changes to pass upstream NSS SSL tests #
Total comments: 11
Patch Set 3 : Adjust cipher suite order, add comments #Patch Set 4 : Add a patch #
Messages
Total messages: 5 (0 generated)
|