1/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- 2 * 3 * This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7#include "nsISupports.idl" 8 9interface nsIInterfaceRequestor; 10interface nsIX509Cert; 11 12%{C++ 13#include "nsTArrayForwardDeclare.h" 14class nsCString; 15%} 16[ref] native nsCStringTArrayRef(nsTArray<nsCString>); 17 18[scriptable, builtinclass, uuid(418265c8-654e-4fbb-ba62-4eed27de1f03)] 19interface nsISSLSocketControl : nsISupports { 20 attribute nsIInterfaceRequestor notificationCallbacks; 21 22 void proxyStartSSL(); 23 void StartTLS(); 24 25 /* NPN (Next Protocol Negotiation) is a mechanism for 26 negotiating the protocol to be spoken inside the SSL 27 tunnel during the SSL handshake. The NPNList is the list 28 of offered client side protocols. setNPNList() needs to 29 be called before any data is read or written (including the 30 handshake to be setup correctly. The server determines the 31 priority when multiple matches occur, but if there is no overlap 32 the first protocol in the list is used. */ 33 34 [noscript] void setNPNList(in nsCStringTArrayRef aNPNList); 35 36 /* negotiatedNPN is '' if no NPN list was provided by the client, 37 * or if the server did not select any protocol choice from that 38 * list. That also includes the case where the server does not 39 * implement NPN. 40 * 41 * If negotiatedNPN is read before NPN has progressed to the point 42 * where this information is available NS_ERROR_NOT_CONNECTED is 43 * raised. 44 */ 45 readonly attribute ACString negotiatedNPN; 46 47 /* For 0RTT we need to know the alpn protocol selected for the last tls 48 * session. This function will return a value if applicable or an error 49 * NS_ERROR_NOT_AVAILABLE. 50 */ 51 ACString getAlpnEarlySelection(); 52 53 /* If 0RTT handshake was applied and some data has been sent, as soon as 54 * the handshake finishes this attribute will be set to appropriate value. 55 */ 56 readonly attribute bool earlyDataAccepted; 57 58 /* When 0RTT is performed, PR_Write will not drive the handshake forward. 59 * It must be forced by calling this function. 60 */ 61 void driveHandshake(); 62 63 /* Determine if a potential SSL connection to hostname:port with 64 * a desired NPN negotiated protocol of npnProtocol can use the socket 65 * associated with this object instead of making a new one. 66 */ 67 boolean joinConnection( 68 in ACString npnProtocol, /* e.g. "spdy/2" */ 69 in ACString hostname, 70 in long port); 71 72 /* Determine if existing connection should be trusted to convey information about 73 * a hostname. 74 */ 75 boolean isAcceptableForHost(in ACString hostname); 76 77 /* The Key Exchange Algorithm is used when determining whether or 78 not HTTP/2 can be used. 79 80 After a handshake is complete it can be read from KEAUsed. 81 The values correspond to the SSLKEAType enum in NSS or the 82 KEY_EXCHANGE_UNKNOWN constant defined below. 83 84 KEAKeyBits is the size/security-level used for the KEA. 85 */ 86 87 [infallible] readonly attribute short KEAUsed; 88 [infallible] readonly attribute unsigned long KEAKeyBits; 89 90 const short KEY_EXCHANGE_UNKNOWN = -1; 91 92 /* 93 * The original flags from the socket provider. 94 */ 95 readonly attribute uint32_t providerFlags; 96 97 /* These values are defined by TLS. */ 98 const short SSL_VERSION_3 = 0x0300; 99 const short TLS_VERSION_1 = 0x0301; 100 const short TLS_VERSION_1_1 = 0x0302; 101 const short TLS_VERSION_1_2 = 0x0303; 102 const short TLS_VERSION_1_3 = 0x0304; 103 const short SSL_VERSION_UNKNOWN = -1; 104 105 [infallible] readonly attribute short SSLVersionUsed; 106 [infallible] readonly attribute short SSLVersionOffered; 107 108 /* These values match the NSS defined values in sslt.h */ 109 const short SSL_MAC_UNKNOWN = -1; 110 const short SSL_MAC_NULL = 0; 111 const short SSL_MAC_MD5 = 1; 112 const short SSL_MAC_SHA = 2; 113 const short SSL_HMAC_MD5 = 3; 114 const short SSL_HMAC_SHA = 4; 115 const short SSL_HMAC_SHA256 = 5; 116 const short SSL_MAC_AEAD = 6; 117 118 [infallible] readonly attribute short MACAlgorithmUsed; 119 120 /** 121 * If set before the server requests a client cert (assuming it does so at 122 * all), then this cert will be presented to the server, instead of asking 123 * the user or searching the set of rememebered user cert decisions. 124 */ 125 attribute nsIX509Cert clientCert; 126 127 /** 128 * bypassAuthentication is true if the server certificate checks are 129 * not be enforced. This is to enable non-secure transport over TLS. 130 */ 131 [infallible] readonly attribute boolean bypassAuthentication; 132 133 /* 134 * failedVerification is true if any enforced certificate checks have failed. 135 * Connections that have not yet tried to verify, have verifications bypassed, 136 * or are using acceptable exceptions will all return false. 137 */ 138 [infallible] readonly attribute boolean failedVerification; 139}; 140 141