0 Membres et 1 Invité sur ce sujet
int16_t version = ssl->GetSSLVersionUsed(); LOG3(("Http2Session::ConfirmTLSProfile %p version=%x\n", this, version)); if (version < nsISSLSocketControl::TLS_VERSION_1_2) { LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to lack of TLS1.2\n", this)); RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY); } uint16_t kea = ssl->GetKEAUsed(); if (kea != ssl_kea_dh && kea != ssl_kea_ecdh) { LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to invalid KEA %d\n", this, kea)); RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY); } uint32_t keybits = ssl->GetKEAKeyBits(); if (kea == ssl_kea_dh && keybits < 2048) { LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to DH %d < 2048\n", this, keybits)); RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY); } else if (kea == ssl_kea_ecdh && keybits < 224) { // see rfc7540 9.2.1. LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 224\n", this, keybits)); RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY); } int16_t macAlgorithm = ssl->GetMACAlgorithmUsed(); LOG3(("Http2Session::ConfirmTLSProfile %p MAC Algortihm (aead==6) %d\n", this, macAlgorithm)); if (macAlgorithm != nsISSLSocketControl::SSL_MAC_AEAD) { LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to lack of AEAD\n", this)); RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY); }
} else if (mGoAwayReason == INADEQUATE_SECURITY) { CloseStream(stream, NS_ERROR_NET_INADEQUATE_SECURITY);
case NS_ERROR_NET_INADEQUATE_SECURITY: // Server negotiated bad TLS for HTTP/2. error.AssignLiteral("inadequateSecurityError"); addHostPort = true; break;