Enable ciphers to get ECDHE with NSS.

With this change, DTLS 1.0 uses "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", DTLS 1.2 uses "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256". BUG=chromium:428343 R=juberti@google.com Review URL: https://webrtc-codereview.appspot.com/52549004 Cr-Commit-Position: refs/heads/master@{#9255}
GetStream · May 21, 2015 · 5fdcdf6 · 5fdcdf6
1 parent 6f2ef74
commit 5fdcdf6
Showing 1 changed file with 19 additions and 2 deletions.
diff --git a/webrtc/base/nssstreamadapter.cc b/webrtc/base/nssstreamadapter.cc
@@ -66,10 +66,18 @@ static const SrtpCipherMapEntry kSrtpCipherMap[] = {
 };
 #endif
 
+// Ciphers to enable to get ECDHE encryption with endpoints that support it.
+static const uint32_t kEnabledCiphers[] = {
+  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+};
+
 // Default cipher used between NSS stream adapters.
 // This needs to be updated when the default of the SSL library changes.
-static const char kDefaultSslCipher10[] = "TLS_RSA_WITH_AES_128_CBC_SHA";
-static const char kDefaultSslCipher12[] = "TLS_RSA_WITH_AES_128_GCM_SHA256";
+static const char kDefaultSslCipher10[] =
+    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA";
+static const char kDefaultSslCipher12[] =
+    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
 
 
 // Implementation of NSPR methods
@@ -549,6 +557,15 @@ int NSSStreamAdapter::BeginSSL() {
   }
 #endif
 
+  // Enable additional ciphers.
+  for (size_t i = 0; i < ARRAY_SIZE(kEnabledCiphers); i++) {
+    rv = SSL_CipherPrefSet(ssl_fd_, kEnabledCiphers[i], PR_TRUE);
+    if (rv != SECSuccess) {
+      Error("BeginSSL", -1, false);
+      return -1;
+    }
+  }
+
   // Certificate validation
   rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook, this);
   if (rv != SECSuccess) {