tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

index.rst (4428B)

      1 .. _mozilla_projects_nss_nss_config_options:
      2 
      3 NSS Config Options
      4 ==================
      5 
      6 .. _nss_config_options_format:
      7 
      8 ` NSS Config Options Format <#nss_config_options_format>`__
      9 -----------------------------------------------------------
     10 
     11 .. container::
     12 
     13   The specified ciphers will be allowed by policy, but an application may allow more by policy
     14   explicitly:
     15 
     16   .. code::
     17 
     18      config="allow=curve1:curve2:hash1:hash2:rsa-1024..."
     19 
     20   Only the specified hashes and curves will be allowed:
     21 
     22   .. code::
     23 
     24      config="disallow=all allow=sha1:sha256:secp256r1:secp384r1"
     25 
     26   Only the specified hashes and curves will be allowed, and RSA keys of 2048 or more will be
     27   accepted, and DH key exchange with 1024-bit primes or more:
     28 
     29   .. code::
     30 
     31      config="disallow=all allow=sha1:sha256:secp256r1:secp384r1:min-rsa=2048:min-dh=1024"
     32 
     33   A policy that enables the AES ciphersuites and the SECP256/384 curves:
     34 
     35   .. code::
     36 
     37      config="allow=aes128-cbc:aes128-gcm::HMAC-SHA1:SHA1:SHA256:SHA384:RSA:ECDHE-RSA:SECP256R1:SECP384R1"
     38 
     39   Turn off md5
     40 
     41   .. code::
     42 
     43      config="disallow=MD5"
     44 
     45   Turn off md5 and sha1 only for SSL
     46 
     47   .. code::
     48 
     49      config="disallow=MD5(SSL):SHA1(SSL)"
     50 
     51   Disallow values are parsed first, and then allow values, independent of the order in which they
     52   appear.
     53 
     54   .. code::
     55 
     56      Future key words (not yet implemented):
     57      enable: turn on ciphersuites by default.
     58      disable: turn off ciphersuites by default without disallowing them by policy.
     59      flags: turn on the following flags:
     60           ssl-lock: turn off the ability for applications to change policy with
     61                     the SSL_SetCipherPolicy (or SSL_SetPolicy).
     62           policy-lock: turn off the ability for applications to change policy with
     63                     the call NSS_SetAlgorithmPolicy.
     64           ssl-default-lock: turn off the ability for applications to change cipher
     65                     suite states with SSL_EnableCipher, SSL_DisableCipher.
     66 
     67   .. rubric::  ECC Curves
     68      :name: ecc_curves
     69 
     70   |
     71   | PRIME192V1
     72   | PRIME192V2
     73   | PRIME192V3
     74   | PRIME239V1
     75   | PRIME239V2
     76   | PRIME239V3
     77   | PRIME256V1
     78   | SECP112R1
     79   | SECP112R2
     80   | SECP128R1
     81   | SECP128R2
     82   | SECP160K1
     83   | SECP160R1
     84   | SECP160R2
     85   | SECP192K1
     86   | SECP192R1
     87   | SECP224K1
     88   | SECP256K1
     89   | SECP256R1
     90   | SECP384R1
     91   | SECP521R1
     92   | C2PNB163V1
     93   | C2PNB163V2
     94   | C2PNB163V3
     95   | C2PNB176V1
     96   | C2TNB191V1
     97   | C2TNB191V2
     98   | C2TNB191V3
     99   | C2ONB191V4
    100   | C2ONB191V5
    101   | C2PNB208W1
    102   | C2TNB239V1
    103   | C2TNB239V2
    104   | C2TNB239V3
    105   | C2ONB239V4
    106   | C2ONB239V5
    107   | C2PNB272W1
    108   | C2PNB304W1
    109   | C2TNB359V1
    110   | C2PNB368W1
    111   | C2TNB431R1
    112   | SECT113R1
    113   | SECT131R1
    114   | SECT131R1
    115   | SECT131R2
    116   | SECT163K1
    117   | SECT163R1
    118   | SECT163R2
    119   | SECT193R1
    120   | SECT193R2
    121   | SECT233K1
    122   | SECT233R1
    123   | SECT239K1
    124   | SECT283K1
    125   | SECT283R1
    126   | SECT409K1
    127   | SECT409R1
    128   | SECT571K1
    129   | SECT571R1
    130 
    131   .. rubric:: Hashes
    132      :name: hashes
    133 
    134   |
    135   | MD2
    136   | MD4
    137   | MD5
    138   | SHA1
    139   | SHA224
    140   | SHA256
    141   | SHA384
    142   | SHA512
    143 
    144   .. rubric:: MACS
    145      :name: macs
    146 
    147   | HMAC-SHA1
    148   | HMAC-SHA224
    149   | HMAC-SHA256
    150   | HMAC-SHA384
    151   | HMAC-SHA512
    152   | HMAC-MD5
    153 
    154   .. rubric:: Ciphers
    155      :name: ciphers
    156 
    157   | AES128-CBC
    158   | AES192-CBC
    159   | AES256-CBC
    160   | AES128-GCM
    161   | AES192-GCM
    162   | AES256-GCM
    163   | CAMELLIA128-CBC
    164   | CAMELLIA192-CBC
    165   | CAMELLIA256-CBC
    166   | SEED-CBC
    167   | DES-EDE3-CBC
    168   | DES-40-CBC
    169   | DES-CBC
    170   | NULL-CIPHER
    171   | RC2
    172   | RC4
    173   | IDEA
    174 
    175   .. rubric:: SSL Key exchanges
    176      :name: ssl_key_exchanges
    177 
    178   | RSA
    179   | RSA-EXPORT
    180   | DHE-RSA
    181   | DHE-DSS
    182   | DH-RSA
    183   | DH-DSS
    184   | ECDHE-ECDSA
    185   | ECDHE-RSA
    186   | ECDH-ECDSA
    187   | ECDH-RSA
    188 
    189   .. rubric:: Restrictions for asymmetric keys (integers)
    190      :name: restrictions_for_asymmetric_keys_(integers)
    191 
    192   | RSA-MIN
    193   | DH-MIN
    194   | DSA-MIN
    195 
    196   .. rubric:: Constraints on SSL Protocols Versions (integers)
    197      :name: constraints_on_ssl_protocols_versions_(integers)
    198 
    199   | TLS-VERSION-MIN
    200   | TLS-VERSION-MAX
    201 
    202   .. rubric:: Constraints on DTLS Protocols Versions (integers)
    203      :name: constraints_on_dtls_protocols_versions_(integers)
    204 
    205   | DTLS-VERSION-MIN
    206   | DTLS-VERSION-MAX
    207 
    208   .. rubric:: Policy flags for algorithms
    209      :name: policy_flags_for_algorithms
    210 
    211   | SSL
    212   | SSL-KEY-EXCHANGE
    213   | KEY-EXCHANGE
    214   | CERT-SIGNATURE
    215   | SIGNATURE
    216   | ALL
    217   | NONE