Bug 1579270 - Disable TLS 1.0 and TLS 1.1 in Nightly, r=jcj
authorMartin Thomson <mt@lowentropy.net>
Fri, 27 Sep 2019 04:01:17 +0000
changeset 495241 f8020435c9fd343965d80a040e0f9f78d933142b
parent 495240 43ac974f69dbfeb53f706953646b2ed2af8183ef
child 495242 4c234610246d2381636a53f4300c6cee5274e172
push id96545
push usermthomson@mozilla.com
push dateFri, 27 Sep 2019 04:03:08 +0000
treeherderautoland@b1146f29e20c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjcj
bugs1579270
milestone71.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1579270 - Disable TLS 1.0 and TLS 1.1 in Nightly, r=jcj This flips the default for security.tls.version.min to 3 (TLS 1.2) for the Nightly channel. Having had this pref at this level for the last year, I can confirm that this does break the occasional site, but it is quite rare. The intent of this change is to start making it more obvious when sites don't support TLS 1.2. I'm asking for wider review because this is a disruptive change. Differential Revision: https://phabricator.services.mozilla.com/D45627
browser/base/content/test/siteIdentity/browser_deprecatedTLSVersions.js
devtools/client/webconsole/test/browser/browser_webconsole_certificate_messages.js
modules/libpref/init/all.js
--- a/browser/base/content/test/siteIdentity/browser_deprecatedTLSVersions.js
+++ b/browser/base/content/test/siteIdentity/browser_deprecatedTLSVersions.js
@@ -16,17 +16,27 @@ function getIdentityMode(aWindow = windo
 
 function getConnectionState() {
   // Prevents items that are being lazy loaded causing issues
   document.getElementById("identity-box").click();
   gIdentityHandler.refreshIdentityPopup();
   return document.getElementById("identity-popup").getAttribute("connection");
 }
 
+registerCleanupFunction(function() {
+  // Set preferences back to their original values
+  Services.prefs.clearUserPref("security.tls.version.min");
+  Services.prefs.clearUserPref("security.tls.version.max");
+});
+
 add_task(async function() {
+  // Run with all versions enabled for this test.
+  Services.prefs.setIntPref("security.tls.version.min", 1);
+  Services.prefs.setIntPref("security.tls.version.max", 4);
+
   await BrowserTestUtils.withNewTab("about:blank", async function(browser) {
     // Try deprecated versions
     await BrowserTestUtils.loadURI(browser, HTTPS_TLS1_0);
     await BrowserTestUtils.browserLoaded(browser);
     isSecurityState(browser, "broken");
     is(
       getIdentityMode(),
       "unknownIdentity weakCipher",
--- a/devtools/client/webconsole/test/browser/browser_webconsole_certificate_messages.js
+++ b/devtools/client/webconsole/test/browser/browser_webconsole_certificate_messages.js
@@ -16,16 +16,22 @@ const SHA256_URL = "https://sha256ee.exa
 const TRIGGER_MSG = "If you haven't seen ssl warnings yet, you won't";
 const TLS_1_0_URL = "https://tls1.example.com" + TEST_URI_PATH;
 
 const TLS_expected_message =
   "This site uses a deprecated version of TLS that" +
   " will be disabled in March 2020. Please upgrade" +
   " to TLS 1.2 or 1.3.";
 
+registerCleanupFunction(function() {
+  // Set preferences back to their original values
+  Services.prefs.clearUserPref("security.tls.version.min");
+  Services.prefs.clearUserPref("security.tls.version.max");
+});
+
 add_task(async function() {
   const hud = await openNewTabAndConsole(TEST_URI);
 
   info("Test SHA1 warnings");
   let onContentLog = waitForMessage(hud, TRIGGER_MSG);
   const onSha1Warning = waitForMessage(hud, "SHA-1");
   await loadDocument(SHA1_URL);
   await Promise.all([onContentLog, onSha1Warning]);
@@ -50,16 +56,19 @@ add_task(async function() {
   );
   ok(!textContent.includes("RC4"), "There is no warning message for RC4");
   ok(
     !textContent.includes(TLS_expected_message),
     "There is not TLS warning message"
   );
 
   info("Test TLS warnings");
+  // Run with all versions enabled for this test.
+  Services.prefs.setIntPref("security.tls.version.min", 1);
+  Services.prefs.setIntPref("security.tls.version.max", 4);
   onContentLog = waitForMessage(hud, TRIGGER_MSG);
   await loadDocument(TLS_1_0_URL);
   await onContentLog;
 
   textContent = hud.ui.outputNode.textContent;
   ok(textContent.includes(TLS_expected_message), "TLS warning message found");
 
   Services.cache2.clear();
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -14,17 +14,21 @@
 //
 // For the syntax used by this file, consult the comments at the top of
 // modules/libpref/parser/src/lib.rs.
 //
 // Please indent all prefs defined within #ifdef/#ifndef conditions. This
 // improves readability, particular for conditional blocks that exceed a single
 // screen.
 
-pref("security.tls.version.min", 1);
+#ifdef RELEASE_OR_BETA
+  pref("security.tls.version.min", 1);
+#else
+  pref("security.tls.version.min", 3);
+#endif
 pref("security.tls.version.max", 4);
 pref("security.tls.version.fallback-limit", 4);
 pref("security.tls.insecure_fallback_hosts", "");
 // Turn off post-handshake authentication for TLS 1.3 by default,
 // until the incompatibility with HTTP/2 is resolved:
 // https://tools.ietf.org/html/draft-davidben-http2-tls13-00
 pref("security.tls.enable_post_handshake_auth", false);
 #ifdef RELEASE_OR_BETA