Bug 1590935 - Offer to re-enable TLS 1.0 on SSL_ERROR_PROTOCOL_VERSION_ALERT, r=nhnt11
authorMartin Thomson <mt@lowentropy.net>
Wed, 13 Nov 2019 09:34:48 +0000
changeset 502314 4fe43f4966b277eb66d5dfcf534329c92d166afb
parent 502313 7a28e398b881cca9b105fff733bf72205ec5782f
child 502315 7dc52ca0f1de82924ef9ac2b8d04e8852ed08ab1
push id114172
push userdluca@mozilla.com
push dateTue, 19 Nov 2019 11:31:10 +0000
treeherdermozilla-inbound@b5c5ba07d3db [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnhnt11
bugs1590935
milestone72.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1590935 - Offer to re-enable TLS 1.0 on SSL_ERROR_PROTOCOL_VERSION_ALERT, r=nhnt11 As it turns out, there are some sites that generate this error. It's a small number, but enough to justify the change. No new tests because we can't generate this condition in our test setup. Differential Revision: https://phabricator.services.mozilla.com/D50396
browser/base/content/aboutNetError.js
browser/base/content/test/about/browser_aboutNetError.js
--- a/browser/base/content/aboutNetError.js
+++ b/browser/base/content/aboutNetError.js
@@ -270,30 +270,33 @@ function initPage() {
   let baseURL = RPMGetFormatURLPref("app.support.baseURL");
   learnMoreLink.setAttribute("href", baseURL + "connection-not-secure");
 
   // Pinning errors are of type nssFailure2
   if (err == "nssFailure2") {
     setupErrorUI();
 
     const errorCode = document.getNetErrorInfo().errorCodeString;
-    const isTlsVersionError = errorCode == "SSL_ERROR_UNSUPPORTED_VERSION";
+    const isTlsVersionError =
+      errorCode == "SSL_ERROR_UNSUPPORTED_VERSION" ||
+      errorCode == "SSL_ERROR_PROTOCOL_VERSION_ALERT";
     const tls10OverrideEnabled = RPMGetBoolPref(
       "security.tls.version.enable-deprecated"
     );
 
     if (isTlsVersionError && !tls10OverrideEnabled) {
       // This is probably a TLS 1.0 server; offer to re-enable.
       showTls10Container();
     } else {
       const hasPrefStyleError = [
         "interrupted", // This happens with subresources that are above the max tls
         "SSL_ERROR_NO_CIPHERS_SUPPORTED",
         "SSL_ERROR_NO_CYPHER_OVERLAP",
         "SSL_ERROR_PROTOCOL_VERSION_ALERT",
+        "SSL_ERROR_SSL_DISABLED",
         "SSL_ERROR_UNSUPPORTED_VERSION",
       ].some(substring => {
         return substring == errorCode;
       });
 
       if (hasPrefStyleError) {
         RPMAddMessageListener("HasChangedCertPrefs", msg => {
           if (msg.data.hasChangedCertPrefs) {
--- a/browser/base/content/test/about/browser_aboutNetError.js
+++ b/browser/base/content/test/about/browser_aboutNetError.js
@@ -2,22 +2,54 @@
  * http://creativecommons.org/publicdomain/zero/1.0/ */
 
 "use strict";
 
 const SSL3_PAGE = "https://ssl3.example.com/";
 const TLS10_PAGE = "https://tls1.example.com/";
 const TLS12_PAGE = "https://tls12.example.com/";
 
+// This includes all the cipher suite prefs we have.
+const CIPHER_SUITE_PREFS = [
+  "security.ssl3.dhe_rsa_aes_128_sha",
+  "security.ssl3.dhe_rsa_aes_256_sha",
+  "security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256",
+  "security.ssl3.ecdhe_ecdsa_aes_128_sha",
+  "security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384",
+  "security.ssl3.ecdhe_ecdsa_aes_256_sha",
+  "security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256",
+  "security.ssl3.ecdhe_rsa_aes_128_gcm_sha256",
+  "security.ssl3.ecdhe_rsa_aes_128_sha",
+  "security.ssl3.ecdhe_rsa_aes_256_gcm_sha384",
+  "security.ssl3.ecdhe_rsa_aes_256_sha",
+  "security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256",
+  "security.ssl3.rsa_aes_128_sha",
+  "security.ssl3.rsa_aes_256_sha",
+  "security.ssl3.rsa_des_ede3_sha",
+];
+
+function resetPrefs() {
+  Services.prefs.clearUserPref("security.tls.version.min");
+  Services.prefs.clearUserPref("security.tls.version.max");
+  Services.prefs.clearUserPref("security.tls.version.enable-deprecated");
+}
+
 add_task(async function resetToDefaultConfig() {
   info(
     "Change TLS config to cause page load to fail, check that reset button is shown and that it works"
   );
 
-  // Set ourselves up for TLS error
+  // Just twiddling version will trigger the TLS 1.0 offer.  So to test the
+  // broader UX, disable all cipher suites to trigger SSL_ERROR_SSL_DISABLED.
+  // This can be removed when security.tls.version.enable-deprecated is.
+  CIPHER_SUITE_PREFS.forEach(suitePref => {
+    Services.prefs.setBoolPref(suitePref, false);
+  });
+
+  // Set ourselves up for a TLS error.
   Services.prefs.setIntPref("security.tls.version.min", 1); // TLS 1.0
   Services.prefs.setIntPref("security.tls.version.max", 1);
 
   let browser;
   let pageLoaded;
   await BrowserTestUtils.openNewForegroundTab(
     gBrowser,
     () => {
@@ -53,21 +85,23 @@ add_task(async function resetToDefaultCo
     is(
       prefResetButton.getAttribute("autofocus"),
       "true",
       "prefResetButton has autofocus"
     );
     prefResetButton.click();
   });
 
-  info("Waiting for the TLS 1.2 page to load after the click");
+  info("Waiting for the page to load after the click");
   await finalLoadComplete;
 
-  Services.prefs.clearUserPref("security.tls.version.min");
-  Services.prefs.clearUserPref("security.tls.version.max");
+  CIPHER_SUITE_PREFS.forEach(suitePref => {
+    Services.prefs.clearUserPref(suitePref);
+  });
+  resetPrefs();
   BrowserTestUtils.removeTab(gBrowser.selectedTab);
 });
 
 add_task(async function checkLearnMoreLink() {
   info("Load an unsupported TLS page and check for a learn more link");
 
   // Set ourselves up for TLS error
   Services.prefs.setIntPref("security.tls.version.min", 3);
@@ -100,18 +134,17 @@ add_task(async function checkLearnMoreLi
     const learnMoreLink = doc.getElementById("learnMoreLink");
     ok(
       ContentTaskUtils.is_visible(learnMoreLink),
       "Learn More link is visible"
     );
     is(learnMoreLink.getAttribute("href"), _baseURL + "connection-not-secure");
   });
 
-  Services.prefs.clearUserPref("security.tls.version.min");
-  Services.prefs.clearUserPref("security.tls.version.max");
+  resetPrefs();
   BrowserTestUtils.removeTab(gBrowser.selectedTab);
 });
 
 add_task(async function checkEnable10() {
   info(
     "Load a page with a deprecated TLS version, an option to enable TLS 1.0 is offered and it works"
   );
 
@@ -163,19 +196,17 @@ add_task(async function checkEnable10() 
       !ContentTaskUtils.is_visible(prefResetButton),
       "prefResetButton should NOT be visible"
     );
   });
 
   info("Waiting for the TLS 1.0 page to load after the click");
   await finalLoadComplete;
 
-  Services.prefs.clearUserPref("security.tls.version.min");
-  Services.prefs.clearUserPref("security.tls.version.max");
-  Services.prefs.clearUserPref("security.tls.version.enable-deprecated");
+  resetPrefs();
   BrowserTestUtils.removeTab(gBrowser.selectedTab);
 });
 
 add_task(async function dontOffer10WhenAlreadyEnabled() {
   info("An option to enable TLS 1.0 is not offered if already enabled");
 
   Services.prefs.setIntPref("security.tls.version.min", 3);
   Services.prefs.setIntPref("security.tls.version.max", 3);
@@ -212,13 +243,11 @@ add_task(async function dontOffer10WhenA
     // It should offer to reset preferences instead.
     const prefResetButton = doc.getElementById("prefResetButton");
     ok(
       ContentTaskUtils.is_visible(prefResetButton),
       "prefResetButton should be visible"
     );
   });
 
-  Services.prefs.clearUserPref("security.tls.version.min");
-  Services.prefs.clearUserPref("security.tls.version.max");
-  Services.prefs.clearUserPref("security.tls.version.enable-deprecated");
+  resetPrefs();
   BrowserTestUtils.removeTab(gBrowser.selectedTab);
 });