Backed out changesets f601c449f86b, e5a36d268d11, 9a13eb125a47, and 351434e9157b (bug 996237) for Android/B2G bustage.
authorRyan VanderMeulen <ryanvm@gmail.com>
Fri, 01 Aug 2014 13:24:49 -0400
changeset 197518 abc2e9abe681d387b2b98b84b592f9136fcf5470
parent 197517 c01dea53dd609349e4ad81f7a9c3a63c9b567d5f
child 197519 5b2dab72041e96b0a45fb05336d788238a025947
push id27249
push userryanvm@gmail.com
push dateMon, 04 Aug 2014 20:14:35 +0000
treeherderautoland@7f81be7db528 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs996237
milestone34.0a1
backs outf601c449f86bed51eaba85c6ff98761b0b7b9a21
e5a36d268d11f629426824a7321e5702d8426f2e
9a13eb125a47339e3b07b88870cf246c597b0509
351434e9157b1ca48eef943c62d2c1a9fdd96a6a
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out changesets f601c449f86b, e5a36d268d11, 9a13eb125a47, and 351434e9157b (bug 996237) for Android/B2G bustage. CLOSED TREE
media/mtransport/test/transport_unittests.cpp
media/mtransport/transportlayer.h
media/mtransport/transportlayerdtls.cpp
media/mtransport/transportlayerdtls.h
--- a/media/mtransport/test/transport_unittests.cpp
+++ b/media/mtransport/test/transport_unittests.cpp
@@ -4,25 +4,23 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 // Original author: ekr@rtfm.com
 
 #include <iostream>
 #include <string>
 #include <map>
-#include <algorithm>
 
 #include "sigslot.h"
 
 #include "logging.h"
 #include "nspr.h"
 #include "nss.h"
 #include "ssl.h"
-#include "sslproto.h"
 
 #include "nsThreadUtils.h"
 #include "nsXPCOM.h"
 
 #include "databuffer.h"
 #include "dtlsidentity.h"
 #include "nricectx.h"
 #include "nricemediastream.h"
@@ -286,19 +284,17 @@ class TransportTestPeer : public sigslot
         dtls_(new TransportLayerDtls()),
         identity_(DtlsIdentity::Generate()),
         ice_ctx_(NrIceCtx::Create(name,
                                   name == "P2" ?
                                   TransportLayerDtls::CLIENT :
                                   TransportLayerDtls::SERVER)),
         streams_(), candidates_(),
         peer_(nullptr),
-        gathering_complete_(false),
-        enabled_cipersuites_(),
-        disabled_cipersuites_()
+        gathering_complete_(false)
  {
     std::vector<NrIceStunServer> stun_servers;
     ScopedDeletePtr<NrIceStunServer> server(NrIceStunServer::Create(
         std::string((char *)"stun.services.mozilla.com"), 3478));
     stun_servers.push_back(*server);
     EXPECT_TRUE(NS_SUCCEEDED(ice_ctx_->SetStunServers(stun_servers)));
 
     dtls_->SetIdentity(identity_);
@@ -358,57 +354,32 @@ class TransportTestPeer : public sigslot
           peer->fingerprint_len_);
 
       ASSERT_TRUE(NS_SUCCEEDED(res));
 
       mask <<= 1;
     }
   }
 
-  void SetupSrtp() {
-    // this mimics the setup we do elsewhere
-    std::vector<uint16_t> srtp_ciphers;
-    srtp_ciphers.push_back(SRTP_AES128_CM_HMAC_SHA1_80);
-    srtp_ciphers.push_back(SRTP_AES128_CM_HMAC_SHA1_32);
-
-    SetSrtpCiphers(srtp_ciphers);
- }
-
-  void SetSrtpCiphers(std::vector<uint16_t>& srtp_ciphers) {
-    ASSERT_TRUE(NS_SUCCEEDED(dtls_->SetSrtpCiphers(srtp_ciphers)));
-  }
 
   void ConnectSocket_s(TransportTestPeer *peer) {
     nsresult res;
     res = loopback_->Init();
     ASSERT_EQ((nsresult)NS_OK, res);
 
     loopback_->Connect(peer->loopback_);
 
     ASSERT_EQ((nsresult)NS_OK, flow_->PushLayer(loopback_));
     ASSERT_EQ((nsresult)NS_OK, flow_->PushLayer(logging_));
     ASSERT_EQ((nsresult)NS_OK, flow_->PushLayer(lossy_));
     ASSERT_EQ((nsresult)NS_OK, flow_->PushLayer(dtls_));
 
-    TweakCiphers(dtls_->internal_fd());
-
     flow_->SignalPacketReceived.connect(this, &TransportTestPeer::PacketReceived);
   }
 
-  void TweakCiphers(PRFileDesc* fd) {
-    for (auto it = enabled_cipersuites_.begin();
-         it != enabled_cipersuites_.end(); ++it) {
-      SSL_CipherPrefSet(fd, *it, PR_TRUE);
-    }
-    for (auto it = disabled_cipersuites_.begin();
-         it != disabled_cipersuites_.end(); ++it) {
-      SSL_CipherPrefSet(fd, *it, PR_FALSE);
-    }
-  }
-
   void ConnectSocket(TransportTestPeer *peer) {
     RUN_ON_THREAD(test_utils->sts_target(),
                   WrapRunnable(this, & TransportTestPeer::ConnectSocket_s,
                                peer),
                   NS_DISPATCH_SYNC);
   }
 
   void InitIce() {
@@ -539,22 +510,16 @@ class TransportTestPeer : public sigslot
   void SetLoss(uint32_t loss) {
     lossy_->SetLoss(loss);
   }
 
   void SetInspector(Inspector* inspector) {
     lossy_->SetInspector(inspector);
   }
 
-  void SetCipherSuiteChanges(const std::vector<uint16_t>& enableThese,
-                             const std::vector<uint16_t>& disableThese) {
-    disabled_cipersuites_ = disableThese;
-    enabled_cipersuites_ = enableThese;
-  }
-
   TransportLayer::State state() {
     TransportLayer::State tstate;
 
     RUN_ON_THREAD(test_utils->sts_target(),
                   WrapRunnableRet(flow_, &TransportFlow::state, &tstate));
 
     return tstate;
   }
@@ -564,41 +529,16 @@ class TransportTestPeer : public sigslot
   }
 
   bool failed() {
     return state() == TransportLayer::TS_ERROR;
   }
 
   size_t received() { return received_; }
 
-  uint16_t cipherSuite() const {
-    nsresult rv;
-    uint16_t cipher;
-    RUN_ON_THREAD(test_utils->sts_target(),
-                  WrapRunnableRet(dtls_, &TransportLayerDtls::GetCipherSuite,
-                                  &cipher, &rv));
-
-    if (NS_FAILED(rv)) {
-      return TLS_NULL_WITH_NULL_NULL; // i.e., not good
-    }
-    return cipher;
-  }
-
-  uint16_t srtpCipher() const {
-    nsresult rv;
-    uint16_t cipher;
-    RUN_ON_THREAD(test_utils->sts_target(),
-                  WrapRunnableRet(dtls_, &TransportLayerDtls::GetSrtpCipher,
-                                  &cipher, &rv));
-    if (NS_FAILED(rv)) {
-      return 0; // the SRTP equivalent of TLS_NULL_WITH_NULL_NULL
-    }
-    return cipher;
-  }
-
  private:
   std::string name_;
   nsCOMPtr<nsIEventTarget> target_;
   size_t received_;
     mozilla::RefPtr<TransportFlow> flow_;
   TransportLayerLoopback *loopback_;
   TransportLayerLogging *logging_;
   TransportLayerLossy *lossy_;
@@ -607,18 +547,16 @@ class TransportTestPeer : public sigslot
   mozilla::RefPtr<DtlsIdentity> identity_;
   mozilla::RefPtr<NrIceCtx> ice_ctx_;
   std::vector<mozilla::RefPtr<NrIceMediaStream> > streams_;
   std::map<std::string, std::vector<std::string> > candidates_;
   TransportTestPeer *peer_;
   bool gathering_complete_;
   unsigned char fingerprint_[TransportLayerDtls::kMaxDigestLength];
   size_t fingerprint_len_;
-  std::vector<uint16_t> enabled_cipersuites_;
-  std::vector<uint16_t> disabled_cipersuites_;
 };
 
 
 class TransportTest : public ::testing::Test {
  public:
   TransportTest() {
     fds_[0] = nullptr;
     fds_[1] = nullptr;
@@ -642,21 +580,16 @@ class TransportTest : public ::testing::
     nsresult rv;
     target_ = do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &rv);
     ASSERT_TRUE(NS_SUCCEEDED(rv));
 
     p1_ = new TransportTestPeer(target_, "P1");
     p2_ = new TransportTestPeer(target_, "P2");
   }
 
-  void SetupSrtp() {
-    p1_->SetupSrtp();
-    p2_->SetupSrtp();
-  }
-
   void SetDtlsPeer(int digests = 1, unsigned int damage = 0) {
     p1_->SetDtlsPeer(p2_, digests, damage);
     p2_->SetDtlsPeer(p1_, digests, damage);
   }
 
   void SetDtlsAllowAll() {
     p1_->SetDtlsAllowAll();
     p2_->SetDtlsAllowAll();
@@ -667,19 +600,16 @@ class TransportTest : public ::testing::
       WrapRunnable(p1_, &TransportTestPeer::ConnectSocket, p2_),
       NS_DISPATCH_SYNC);
     test_utils->sts_target()->Dispatch(
       WrapRunnable(p2_, &TransportTestPeer::ConnectSocket, p1_),
       NS_DISPATCH_SYNC);
 
     ASSERT_TRUE_WAIT(p1_->connected(), 10000);
     ASSERT_TRUE_WAIT(p2_->connected(), 10000);
-
-    ASSERT_EQ(p1_->cipherSuite(), p2_->cipherSuite());
-    ASSERT_EQ(p1_->srtpCipher(), p2_->srtpCipher());
   }
 
   void ConnectSocketExpectFail() {
     test_utils->sts_target()->Dispatch(
       WrapRunnable(p1_, &TransportTestPeer::ConnectSocket, p2_),
       NS_DISPATCH_SYNC);
     test_utils->sts_target()->Dispatch(
       WrapRunnable(p2_, &TransportTestPeer::ConnectSocket, p1_),
@@ -725,36 +655,18 @@ class TransportTest : public ::testing::
 
 TEST_F(TransportTest, TestNoDtlsVerificationSettings) {
   ConnectSocketExpectFail();
 }
 
 TEST_F(TransportTest, TestConnect) {
   SetDtlsPeer();
   ConnectSocket();
-
-  // check that we got the right suite
-  ASSERT_EQ(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());
-
-  // no SRTP on this one
-  ASSERT_EQ(0, p1_->srtpCipher());
 }
 
-TEST_F(TransportTest, TestConnectSrtp) {
-  SetupSrtp();
-  SetDtlsPeer();
-  ConnectSocket();
-
-  ASSERT_EQ(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());
-
-  // SRTP is on
-  ASSERT_EQ(SRTP_AES128_CM_HMAC_SHA1_80, p1_->srtpCipher());
-}
-
-
 TEST_F(TransportTest, TestConnectDestroyFlowsMainThread) {
   SetDtlsPeer();
   ConnectSocket();
   DestroyPeerFlows();
 }
 
 TEST_F(TransportTest, TestConnectAllowAll) {
   SetDtlsAllowAll();
@@ -821,75 +733,16 @@ TEST_F(TransportTest, TestConnectIce) {
 }
 
 TEST_F(TransportTest, TestTransferIce) {
   SetDtlsPeer();
   ConnectIce();
   TransferTest(1);
 }
 
-// test the default configuration against a peer that supports only
-// one of the mandatory-to-implement suites, which should succeed
-static void ConfigureOneCipher(TransportTestPeer* peer, uint16_t suite) {
-  std::vector<uint16_t> justOne;
-  justOne.push_back(suite);
-  std::vector<uint16_t> everythingElse(SSL_GetImplementedCiphers(),
-                                       SSL_GetImplementedCiphers()
-                                       + SSL_GetNumImplementedCiphers());
-  remove(everythingElse.begin(), everythingElse.end(), suite);
-  peer->SetCipherSuiteChanges(justOne, everythingElse);
-}
-
-TEST_F(TransportTest, TestCipherMismatch) {
-  SetDtlsPeer();
-  ConfigureOneCipher(p1_, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
-  ConfigureOneCipher(p2_, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA);
-  ConnectSocketExpectFail();
-}
-
-TEST_F(TransportTest, TestCipherMandatoryOnlyGcm) {
-  SetDtlsPeer();
-  ConfigureOneCipher(p1_, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
-  ConnectSocket();
-  ASSERT_EQ(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, p1_->cipherSuite());
-}
-
-TEST_F(TransportTest, TestCipherMandatoryOnlyCbc) {
-  SetDtlsPeer();
-  ConfigureOneCipher(p1_, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA);
-  ConnectSocket();
-  ASSERT_EQ(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, p1_->cipherSuite());
-}
-
-TEST_F(TransportTest, TestSrtpMismatch) {
-  std::vector<uint16_t> setA;
-  setA.push_back(SRTP_AES128_CM_HMAC_SHA1_80);
-  std::vector<uint16_t> setB;
-  setB.push_back(SRTP_AES128_CM_HMAC_SHA1_32);
-
-  p1_->SetSrtpCiphers(setA);
-  p2_->SetSrtpCiphers(setB);
-  SetDtlsPeer();
-  ConnectSocket();
-
-  ASSERT_EQ(0, p1_->srtpCipher());
-  ASSERT_EQ(0, p2_->srtpCipher());
-}
-
-// NSS doesn't support DHE suites on the server end.
-// This checks to see if we barf when that's the only option available.
-TEST_F(TransportTest, TestDheOnlyFails) {
-  SetDtlsPeer();
-
-  // p2_ is the client
-  // setting this on p1_ (the server) causes NSS to assert
-  ConfigureOneCipher(p2_, TLS_DHE_RSA_WITH_AES_128_CBC_SHA);
-  ConnectSocketExpectFail();
-}
-
 TEST(PushTests, LayerFail) {
   mozilla::RefPtr<TransportFlow> flow = new TransportFlow();
   nsresult rv;
   bool destroyed1, destroyed2;
 
   rv = flow->PushLayer(new TransportLayerDummy(true, &destroyed1));
   ASSERT_TRUE(NS_SUCCEEDED(rv));
 
@@ -900,16 +753,17 @@ TEST(PushTests, LayerFail) {
   ASSERT_EQ(true, destroyed1);
   ASSERT_EQ(true, destroyed2);
 
   rv = flow->PushLayer(new TransportLayerDummy(true, &destroyed1));
   ASSERT_TRUE(NS_FAILED(rv));
   ASSERT_EQ(true, destroyed1);
 }
 
+
 TEST(PushTests, LayersFail) {
   mozilla::RefPtr<TransportFlow> flow = new TransportFlow();
   nsresult rv;
   bool destroyed1, destroyed2, destroyed3;
 
   rv = flow->PushLayer(new TransportLayerDummy(true, &destroyed1));
   ASSERT_TRUE(NS_SUCCEEDED(rv));
 
--- a/media/mtransport/transportlayer.h
+++ b/media/mtransport/transportlayer.h
@@ -24,17 +24,17 @@ class TransportFlow;
 
 typedef int TransportResult;
 
 enum {
   TE_WOULDBLOCK = -1, TE_ERROR = -2, TE_INTERNAL = -3
 };
 
 #define TRANSPORT_LAYER_ID(name) \
-  virtual const std::string id() const { return name; } \
+  virtual const std::string id() { return name; } \
   static std::string ID() { return name; }
 
 // Abstract base class for network transport layers.
 class TransportLayer : public sigslot::has_slots<> {
  public:
   // The state of the transport flow
   // We can't use "ERROR" because Windows has a macro named "ERROR"
   enum State { TS_NONE, TS_INIT, TS_CONNECTING, TS_OPEN, TS_CLOSED, TS_ERROR };
@@ -76,41 +76,41 @@ class TransportLayer : public sigslot::h
   // Event definitions that one can register for
   // State has changed
   sigslot::signal2<TransportLayer*, State> SignalStateChange;
   // Data received on the flow
   sigslot::signal3<TransportLayer*, const unsigned char *, size_t>
                          SignalPacketReceived;
 
   // Return the layer id for this layer
-  virtual const std::string id() const = 0;
+  virtual const std::string id() = 0;
 
   // The id of the flow
-  const std::string& flow_id() const {
+  const std::string& flow_id() {
     return flow_id_;
   }
 
  protected:
   virtual void WasInserted() {}
   virtual void SetState(State state, const char *file, unsigned line);
   // Check if we are on the right thread
-  void CheckThread() const {
+  void CheckThread() {
     NS_ABORT_IF_FALSE(CheckThreadInt(), "Wrong thread");
   }
 
   Mode mode_;
   State state_;
   std::string flow_id_;
   TransportLayer *downward_; // The next layer in the stack
   nsCOMPtr<nsIEventTarget> target_;
 
  private:
   DISALLOW_COPY_ASSIGN(TransportLayer);
 
-  bool CheckThreadInt() const {
+  bool CheckThreadInt() {
     bool on;
 
     if (!target_)  // OK if no thread set.
       return true;
 
     NS_ENSURE_SUCCESS(target_->IsOnCurrentThread(&on), false);
     NS_ENSURE_TRUE(on, false);
 
--- a/media/mtransport/transportlayerdtls.cpp
+++ b/media/mtransport/transportlayerdtls.cpp
@@ -493,21 +493,21 @@ bool TransportLayerDtls::Setup() {
 
     rv = SSL_OptionSet(ssl_fd, SSL_REQUIRE_CERTIFICATE, PR_TRUE);
     if (rv != SECSuccess) {
       MOZ_MTLOG(ML_ERROR, "Couldn't require certificate");
       return false;
     }
   }
 
-  // Require TLS 1.1 or 1.2. Perhaps some day in the future we will allow TLS
-  // 1.0 for stream modes.
+  // Require TLS 1.1. Perhaps some day in the future we will allow
+  // TLS 1.0 for stream modes.
   SSLVersionRange version_range = {
     SSL_LIBRARY_VERSION_TLS_1_1,
-    SSL_LIBRARY_VERSION_TLS_1_2
+    SSL_LIBRARY_VERSION_TLS_1_1
   };
 
   rv = SSL_VersionRangeSet(ssl_fd, &version_range);
   if (rv != SECSuccess) {
     MOZ_MTLOG(ML_ERROR, "Can't disable SSLv3");
     return false;
   }
 
@@ -542,18 +542,26 @@ bool TransportLayerDtls::Setup() {
   }
 
   rv = SSL_OptionSet(ssl_fd, SSL_NO_LOCKS, PR_TRUE);
   if (rv != SECSuccess) {
     MOZ_MTLOG(ML_ERROR, "Couldn't disable locks");
     return false;
   }
 
-  if (!SetupCipherSuites(ssl_fd)) {
-    return false;
+  // Set the SRTP ciphers
+  if (srtp_ciphers_.size()) {
+    // Note: std::vector is guaranteed to contiguous
+    rv = SSL_SetSRTPCiphers(ssl_fd, &srtp_ciphers_[0],
+                            srtp_ciphers_.size());
+
+    if (rv != SECSuccess) {
+      MOZ_MTLOG(ML_ERROR, "Couldn't set SRTP cipher suite");
+      return false;
+    }
   }
 
   // Certificate validation
   rv = SSL_AuthCertificateHook(ssl_fd, AuthCertificateHook,
                                reinterpret_cast<void *>(this));
   if (rv != SECSuccess) {
     MOZ_MTLOG(ML_ERROR, "Couldn't set certificate validation hook");
     return false;
@@ -573,145 +581,16 @@ bool TransportLayerDtls::Setup() {
 
   if (downward_->state() == TS_OPEN) {
     Handshake();
   }
 
   return true;
 }
 
-// Ciphers we need to enable.  These are on by default in standard firefox
-// builds, but can be disabled with prefs and they aren't on in our unit tests
-// since that uses NSS default configuration.
-// Only override prefs to comply with MUST statements in the security-arch.
-static const uint32_t EnabledCiphers[] = {
-  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
-};
-
-// Disalbe all NSS suites modes without PFS or with old and rusty ciphersuites.
-// Anything outside this list is governed by the usual combination of policy
-// and user preferences.
-static const uint32_t DisabledCiphers[] = {
-  TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
-  TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-  TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
-  TLS_ECDHE_RSA_WITH_RC4_128_SHA,
-
-  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
-  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
-  TLS_DHE_DSS_WITH_RC4_128_SHA,
-
-  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
-  TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
-  TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
-  TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
-  TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
-  TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
-  TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
-  TLS_ECDH_RSA_WITH_RC4_128_SHA,
-
-  TLS_RSA_WITH_AES_128_GCM_SHA256,
-  TLS_RSA_WITH_AES_128_CBC_SHA,
-  TLS_RSA_WITH_AES_128_CBC_SHA256,
-  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
-  TLS_RSA_WITH_AES_256_CBC_SHA,
-  TLS_RSA_WITH_AES_256_CBC_SHA256,
-  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
-  TLS_RSA_WITH_SEED_CBC_SHA,
-  SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
-  TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-  TLS_RSA_WITH_RC4_128_SHA,
-  TLS_RSA_WITH_RC4_128_MD5,
-
-  TLS_DHE_RSA_WITH_DES_CBC_SHA,
-  TLS_DHE_DSS_WITH_DES_CBC_SHA,
-  SSL_RSA_FIPS_WITH_DES_CBC_SHA,
-  TLS_RSA_WITH_DES_CBC_SHA,
-
-  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
-  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-
-  TLS_RSA_EXPORT_WITH_RC4_40_MD5,
-  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
-
-  TLS_ECDHE_ECDSA_WITH_NULL_SHA,
-  TLS_ECDHE_RSA_WITH_NULL_SHA,
-  TLS_ECDH_ECDSA_WITH_NULL_SHA,
-  TLS_ECDH_RSA_WITH_NULL_SHA,
-
-  TLS_RSA_WITH_NULL_SHA,
-  TLS_RSA_WITH_NULL_SHA256,
-  TLS_RSA_WITH_NULL_MD5,
-};
-
-bool TransportLayerDtls::SetupCipherSuites(PRFileDesc* ssl_fd) const {
-  SECStatus rv;
-
-  // Set the SRTP ciphers
-  if (!srtp_ciphers_.empty()) {
-    // Note: std::vector is guaranteed to contiguous
-    rv = SSL_SetSRTPCiphers(ssl_fd, &srtp_ciphers_[0], srtp_ciphers_.size());
-
-    if (rv != SECSuccess) {
-      MOZ_MTLOG(ML_ERROR, "Couldn't set SRTP cipher suite");
-      return false;
-    }
-  }
-
-  for (size_t i = 0; i < PR_ARRAY_SIZE(EnabledCiphers); ++i) {
-    MOZ_MTLOG(ML_INFO, LAYER_INFO << "Enabling: " << EnabledCiphers[i]);
-    rv = SSL_CipherPrefSet(ssl_fd, EnabledCiphers[i], PR_TRUE);
-    if (rv != SECSuccess) {
-      MOZ_MTLOG(ML_ERROR, LAYER_INFO <<
-                "Unable to enable suite: " << EnabledCiphers[i]);
-      return false;
-    }
-  }
-
-  for (size_t i = 0; i < PR_ARRAY_SIZE(DisabledCiphers); ++i) {
-    MOZ_MTLOG(ML_INFO, LAYER_INFO << "Disabling: " << DisabledCiphers[i]);
-
-    PRBool enabled = false;
-    rv = SSL_CipherPrefGet(ssl_fd, DisabledCiphers[i], &enabled);
-    if (rv != SECSuccess) {
-      MOZ_MTLOG(ML_NOTICE, LAYER_INFO <<
-                "Unable to check if suite is enabled: " << DisabledCiphers[i]);
-      return false;
-    }
-    if (enabled) {
-      rv = SSL_CipherPrefSet(ssl_fd, DisabledCiphers[i], PR_FALSE);
-      if (rv != SECSuccess) {
-        MOZ_MTLOG(ML_NOTICE, LAYER_INFO <<
-                  "Unable to disable suite: " << DisabledCiphers[i]);
-        return false;
-      }
-    }
-  }
-  return true;
-}
-
-nsresult TransportLayerDtls::GetCipherSuite(uint16_t* cipherSuite) const {
-  CheckThread();
-  if (!cipherSuite) {
-    MOZ_MTLOG(ML_ERROR, LAYER_INFO << "GetCipherSuite passed a nullptr");
-    return NS_ERROR_NULL_POINTER;
-  }
-  if (state_ != TS_OPEN) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-  SSLChannelInfo info;
-  SECStatus rv = SSL_GetChannelInfo(ssl_fd_, &info, sizeof(info));
-  if (rv != SECSuccess) {
-    MOZ_MTLOG(ML_NOTICE, LAYER_INFO << "GetCipherSuite can't get channel info");
-    return NS_ERROR_FAILURE;
-  }
-  *cipherSuite = info.cipherSuite;
-  return NS_OK;
-}
 
 void TransportLayerDtls::StateChange(TransportLayer *layer, State state) {
   if (state <= state_) {
     MOZ_MTLOG(ML_ERROR, "Lower layer state is going backwards from ours");
     TL_SET_STATE(TS_ERROR);
     return;
   }
 
@@ -914,17 +793,17 @@ SECStatus TransportLayerDtls::GetClientA
 
 nsresult TransportLayerDtls::SetSrtpCiphers(std::vector<uint16_t> ciphers) {
   // TODO: We should check these
   srtp_ciphers_ = ciphers;
 
   return NS_OK;
 }
 
-nsresult TransportLayerDtls::GetSrtpCipher(uint16_t *cipher) const {
+nsresult TransportLayerDtls::GetSrtpCipher(uint16_t *cipher) {
   CheckThread();
   SECStatus rv = SSL_GetSRTPCipher(ssl_fd_, cipher);
   if (rv != SECSuccess) {
     MOZ_MTLOG(ML_DEBUG, "No SRTP cipher negotiated");
     return NS_ERROR_FAILURE;
   }
 
   return NS_OK;
--- a/media/mtransport/transportlayerdtls.h
+++ b/media/mtransport/transportlayerdtls.h
@@ -68,20 +68,18 @@ class TransportLayerDtls : public Transp
   void SetIdentity(const RefPtr<DtlsIdentity>& identity) {
     identity_ = identity;
   }
   nsresult SetVerificationAllowAll();
   nsresult SetVerificationDigest(const std::string digest_algorithm,
                                  const unsigned char *digest_value,
                                  size_t digest_len);
 
-  nsresult GetCipherSuite(uint16_t* cipherSuite) const;
-
   nsresult SetSrtpCiphers(std::vector<uint16_t> ciphers);
-  nsresult GetSrtpCipher(uint16_t *cipher) const;
+  nsresult GetSrtpCipher(uint16_t *cipher);
 
   nsresult ExportKeyingMaterial(const std::string& label,
                                 bool use_context,
                                 const std::string& context,
                                 unsigned char *out,
                                 unsigned int outlen);
 
   const CERTCertificate *GetPeerCert() const {
@@ -93,19 +91,16 @@ class TransportLayerDtls : public Transp
   virtual void WasInserted();
   virtual TransportResult SendPacket(const unsigned char *data, size_t len);
 
   // Signals
   void StateChange(TransportLayer *layer, State state);
   void PacketReceived(TransportLayer* layer, const unsigned char *data,
                       size_t len);
 
-  // For testing use only.  Returns the fd.
-  PRFileDesc* internal_fd() { CheckThread(); return ssl_fd_.rwget(); }
-
   TRANSPORT_LAYER_ID("dtls")
 
   private:
   DISALLOW_COPY_ASSIGN(TransportLayerDtls);
 
   // A single digest to check
   class VerificationDigest {
    public:
@@ -126,17 +121,16 @@ class TransportLayerDtls : public Transp
 
    private:
     ~VerificationDigest() {}
     DISALLOW_COPY_ASSIGN(VerificationDigest);
   };
 
 
   bool Setup();
-  bool SetupCipherSuites(PRFileDesc* ssl_fd) const;
   void Handshake();
 
   static SECStatus GetClientAuthDataHook(void *arg, PRFileDesc *fd,
                                          CERTDistNames *caNames,
                                          CERTCertificate **pRetCert,
                                          SECKEYPrivateKey **pRetKey);
   static SECStatus AuthCertificateHook(void *arg,
                                        PRFileDesc *fd,