Enable ciphers to get ECDHE with NSS.

With this change, DTLS 1.0 uses "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", DTLS 1.2 uses "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256". BUG=chromium:428343 R=juberti@google.com Review URL: https://webrtc-codereview.appspot.com/52549004 Cr-Commit-Position: refs/heads/master@{#9255}
2015-05-21 18:06:19 +02:00 · 2015-05-21 18:06:19 +02:00 · 5fdcdf66d0
commit 5fdcdf66d0
parent 6f2ef74b42
1 changed files with 19 additions and 2 deletions
--- a/webrtc/base/nssstreamadapter.cc
+++ b/webrtc/base/nssstreamadapter.cc
@ -66,10 +66,18 @@ static const SrtpCipherMapEntry kSrtpCipherMap[] = {
 };
 #endif

+// Ciphers to enable to get ECDHE encryption with endpoints that support it.
+static const uint32_t kEnabledCiphers[] = {
+  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+};
+
 // Default cipher used between NSS stream adapters.
 // This needs to be updated when the default of the SSL library changes.
-static const char kDefaultSslCipher10[] = "TLS_RSA_WITH_AES_128_CBC_SHA";
-static const char kDefaultSslCipher12[] = "TLS_RSA_WITH_AES_128_GCM_SHA256";
+static const char kDefaultSslCipher10[] =
+    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA";
+static const char kDefaultSslCipher12[] =
+    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";


 // Implementation of NSPR methods
@ -549,6 +557,15 @@ int NSSStreamAdapter::BeginSSL() {
  }
 #endif

+  // Enable additional ciphers.
+  for (size_t i = 0; i < ARRAY_SIZE(kEnabledCiphers); i++) {
+    rv = SSL_CipherPrefSet(ssl_fd_, kEnabledCiphers[i], PR_TRUE);
+    if (rv != SECSuccess) {
+      Error("BeginSSL", -1, false);
+      return -1;
+    }
+  }
+
  // Certificate validation
  rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook, this);
  if (rv != SECSuccess) {