Source code
Revision control
Copy as Markdown
Other Tools
.. _mozilla_projects_nss_nss_config_options:
NSS Config Options
==================
.. _nss_config_options_format:
` NSS Config Options Format <#nss_config_options_format>`__
-----------------------------------------------------------
.. container::
The specified ciphers will be allowed by policy, but an application may allow more by policy
explicitly:
.. code::
config="allow=curve1:curve2:hash1:hash2:rsa-1024..."
Only the specified hashes and curves will be allowed:
.. code::
config="disallow=all allow=sha1:sha256:secp256r1:secp384r1"
Only the specified hashes and curves will be allowed, and RSA keys of 2048 or more will be
accepted, and DH key exchange with 1024-bit primes or more:
.. code::
config="disallow=all allow=sha1:sha256:secp256r1:secp384r1:min-rsa=2048:min-dh=1024"
A policy that enables the AES ciphersuites and the SECP256/384 curves:
.. code::
config="allow=aes128-cbc:aes128-gcm::HMAC-SHA1:SHA1:SHA256:SHA384:RSA:ECDHE-RSA:SECP256R1:SECP384R1"
Turn off md5
.. code::
config="disallow=MD5"
Turn off md5 and sha1 only for SSL
.. code::
config="disallow=MD5(SSL):SHA1(SSL)"
Disallow values are parsed first, and then allow values, independent of the order in which they
appear.
.. code::
Future key words (not yet implemented):
enable: turn on ciphersuites by default.
disable: turn off ciphersuites by default without disallowing them by policy.
flags: turn on the following flags:
ssl-lock: turn off the ability for applications to change policy with
the SSL_SetCipherPolicy (or SSL_SetPolicy).
policy-lock: turn off the ability for applications to change policy with
the call NSS_SetAlgorithmPolicy.
ssl-default-lock: turn off the ability for applications to change cipher
suite states with SSL_EnableCipher, SSL_DisableCipher.
.. rubric:: ECC Curves
:name: ecc_curves
|
| PRIME192V1
| PRIME192V2
| PRIME192V3
| PRIME239V1
| PRIME239V2
| PRIME239V3
| PRIME256V1
| SECP112R1
| SECP112R2
| SECP128R1
| SECP128R2
| SECP160K1
| SECP160R1
| SECP160R2
| SECP192K1
| SECP192R1
| SECP224K1
| SECP256K1
| SECP256R1
| SECP384R1
| SECP521R1
| C2PNB163V1
| C2PNB163V2
| C2PNB163V3
| C2PNB176V1
| C2TNB191V1
| C2TNB191V2
| C2TNB191V3
| C2ONB191V4
| C2ONB191V5
| C2PNB208W1
| C2TNB239V1
| C2TNB239V2
| C2TNB239V3
| C2ONB239V4
| C2ONB239V5
| C2PNB272W1
| C2PNB304W1
| C2TNB359V1
| C2PNB368W1
| C2TNB431R1
| SECT113R1
| SECT131R1
| SECT131R1
| SECT131R2
| SECT163K1
| SECT163R1
| SECT163R2
| SECT193R1
| SECT193R2
| SECT233K1
| SECT233R1
| SECT239K1
| SECT283K1
| SECT283R1
| SECT409K1
| SECT409R1
| SECT571K1
| SECT571R1
.. rubric:: Hashes
:name: hashes
|
| MD2
| MD4
| MD5
| SHA1
| SHA224
| SHA256
| SHA384
| SHA512
.. rubric:: MACS
:name: macs
| HMAC-SHA1
| HMAC-SHA224
| HMAC-SHA256
| HMAC-SHA384
| HMAC-SHA512
| HMAC-MD5
.. rubric:: Ciphers
:name: ciphers
| AES128-CBC
| AES192-CBC
| AES256-CBC
| AES128-GCM
| AES192-GCM
| AES256-GCM
| CAMELLIA128-CBC
| CAMELLIA192-CBC
| CAMELLIA256-CBC
| SEED-CBC
| DES-EDE3-CBC
| DES-40-CBC
| DES-CBC
| NULL-CIPHER
| RC2
| RC4
| IDEA
.. rubric:: SSL Key exchanges
:name: ssl_key_exchanges
| RSA
| RSA-EXPORT
| DHE-RSA
| DHE-DSS
| DH-RSA
| DH-DSS
| ECDHE-ECDSA
| ECDHE-RSA
| ECDH-ECDSA
| ECDH-RSA
.. rubric:: Restrictions for asymmetric keys (integers)
:name: restrictions_for_asymmetric_keys_(integers)
| RSA-MIN
| DH-MIN
| DSA-MIN
.. rubric:: Constraints on SSL Protocols Versions (integers)
:name: constraints_on_ssl_protocols_versions_(integers)
| TLS-VERSION-MIN
| TLS-VERSION-MAX
.. rubric:: Constraints on DTLS Protocols Versions (integers)
:name: constraints_on_dtls_protocols_versions_(integers)
| DTLS-VERSION-MIN
| DTLS-VERSION-MAX
.. rubric:: Policy flags for algorithms
:name: policy_flags_for_algorithms
| SSL
| SSL-KEY-EXCHANGE
| KEY-EXCHANGE
| CERT-SIGNATURE
| SIGNATURE
| ALL
| NONE