diff options
author | Martin Thomson <martin.thomson@gmail.com> | 2016-06-01 11:42:52 +1000 |
---|---|---|
committer | Martin Thomson <martin.thomson@gmail.com> | 2016-06-01 11:42:52 +1000 |
commit | ab989fcc6436aaa1a18beb6878d30534f974db0c (patch) | |
tree | 3064e1da610e55bf57ac6eb5d12104c67ecfe36b /cmd/selfserv | |
parent | 889663f59ed8fa92385dda38c7f94a06c1e907ab (diff) | |
download | nss-hg-ab989fcc6436aaa1a18beb6878d30534f974db0c.tar.gz |
Bug 1266237 - Enable FFDHE and DHE for TLS 1.3, r=ekr
Diffstat (limited to 'cmd/selfserv')
-rw-r--r-- | cmd/selfserv/selfserv.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/cmd/selfserv/selfserv.c b/cmd/selfserv/selfserv.c index 9a1572837..a0b1268d8 100644 --- a/cmd/selfserv/selfserv.c +++ b/cmd/selfserv/selfserv.c @@ -166,7 +166,7 @@ PrintUsageHeader(const char *progName) " [-e ec_nickname]" #endif /* NSS_DISABLE_ECC */ "\n" - " -U [0|1] -H [0|1] -W [0|1]\n", + " -U [0|1] -H [0|1|2] -W [0|1]\n", progName); } @@ -219,7 +219,8 @@ PrintParameterUsage() " ocsp: fetch from external OCSP server using AIA, or none\n" "-A <ca> Nickname of a CA used to sign a stapled cert status\n" "-U override default ECDHE ephemeral key reuse, 0: refresh, 1: reuse\n" - "-H override default DHE server support, 0: disable, 1: enable\n" + "-H override default DHE server support, 0: disable, 1: enable, " + " 2: require DH named groups\n" "-W override default DHE server weak parameters support, 0: disable, 1: enable\n" "-c Restrict ciphers\n" "-Y prints cipher values allowed for parameter -c and exits\n" @@ -1933,6 +1934,11 @@ server_main( if (rv != SECSuccess) { errExit("error configuring server side DHE support"); } + rv = SSL_OptionSet(model_sock, SSL_REQUIRE_DH_NAMED_GROUPS, (configureDHE > 1)); + if (rv != SECSuccess) { + errExit("error configuring server side FFDHE support"); + } + PORT_Assert(configureDHE <= 2); } if (configureReuseECDHE > -1) { |