[SOUP] Disable RC4
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 5 Mar 2015 09:27:21 +0000 (09:27 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 5 Mar 2015 09:27:21 +0000 (09:27 +0000)
https://bugs.webkit.org/show_bug.cgi?id=140014

Patch by Michael Catanzaro <mcatanzaro@igalia.com> on 2015-03-05
Reviewed by Carlos Garcia Campos.

Disallow RC4-based ciphersuites when performing TLS negotiation,
because it is no longer considered secure.

* NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp:
(main):
* WebProcess/EntryPoint/unix/WebProcessMain.cpp:
(main):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@181073 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit2/ChangeLog
Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp
Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp

index 7abb9bdf75406900db7e10ecd8abb74df91dfb98..1f27e248f210b6ffd0f04476bf652ffaed6caa1f 100644 (file)
@@ -1,3 +1,18 @@
+2015-03-05  Michael Catanzaro  <mcatanzaro@igalia.com>
+
+        [SOUP] Disable RC4
+        https://bugs.webkit.org/show_bug.cgi?id=140014
+
+        Reviewed by Carlos Garcia Campos.
+
+        Disallow RC4-based ciphersuites when performing TLS negotiation,
+        because it is no longer considered secure.
+
+        * NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp:
+        (main):
+        * WebProcess/EntryPoint/unix/WebProcessMain.cpp:
+        (main):
+
 2015-03-04  Yusuke Suzuki  <utatane.tea@gmail.com>
 
         Hide Promise with runtime flags under Cocoa JSContext API
index 1acd133c7d18dee468fe4a907997caaa98db9696..b282e16a37810a7d7f123d05cfa071f762c3d582 100644 (file)
@@ -37,9 +37,9 @@ int main(int argc, char** argv)
     // This workaround will stop working if glib-networking switches away from
     // GnuTLS or simply stops parsing this variable. We intentionally do not
     // overwrite this priority string if it's already set by the user.
-    // Keep this in sync with WebProcessMain.cpp.
     // https://bugzilla.gnome.org/show_bug.cgi?id=738633
-    setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:%LATEST_RECORD_VERSION:!VERS-SSL3.0", 0);
+    // WARNING: This needs to be KEPT IN SYNC with WebProcessMain.cpp.
+    setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:%LATEST_RECORD_VERSION:!VERS-SSL3.0:!ARCFOUR-128", 0);
 
     return NetworkProcessMainUnix(argc, argv);
 }
index 87b45b3c5c0d336ef869cac761d62e1fd58eae59..5f45d01af78ae8668c9de77adc1bf01ab0108cda 100644 (file)
@@ -37,9 +37,9 @@ int main(int argc, char** argv)
     // This workaround will stop working if glib-networking switches away from
     // GnuTLS or simply stops parsing this variable. We intentionally do not
     // overwrite this priority string if it's already set by the user.
-    // Keep this in sync with NetworkProcessMain.cpp.
     // https://bugzilla.gnome.org/show_bug.cgi?id=738633
-    setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:%LATEST_RECORD_VERSION:!VERS-SSL3.0", 0);
+    // WARNING: This needs to be KEPT IN SYNC with WebProcessMain.cpp.
+    setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:%LATEST_RECORD_VERSION:!VERS-SSL3.0:!ARCFOUR-128", 0);
 
     return WebProcessMainUnix(argc, argv);
 }