Bug 1430268 - Unconditionally enable compat mode. r=keeler
authorEKR <ekr@rtfm.com>
Wed, 27 Dec 2017 16:34:56 -0800
changeset 399197 fafb731dae7c13cf972b8fa94ea584bcc9b9bbfd
parent 399196 bf5aca81d31bee07f3afcb621c368cea75ac5d7d
child 399198 d7a4884fbc25e2cc2895b5e115960d26b927201b
child 399218 04c0a07b8de21300856ec89b7d118d4be9b86250
push id98911
push userekr@mozilla.com
push dateSat, 13 Jan 2018 18:19:02 +0000
treeherdermozilla-inbound@fafb731dae7c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1430268
milestone59.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1430268 - Unconditionally enable compat mode. r=keeler Summary: Needed for real TLS 1.3 deployment Reviewers: mt Differential Revision: https://phabricator.services.mozilla.com/D342
security/manager/ssl/nsNSSIOLayer.cpp
--- a/security/manager/ssl/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/nsNSSIOLayer.cpp
@@ -70,17 +70,17 @@ namespace {
 // does not impact other normal sockets not using the flags.)
 //
 // Their current definitions are:
 //
 // bits 0-2 (mask 0x07) specify the max tls version
 //          0 means no override 1->4 are 1.0, 1.1, 1.2, 1.3, 4->7 unused
 // bits 3-5 (mask 0x38) specify the tls fallback limit
 //          0 means no override, values 1->4 match prefs
-// bit    6 (mask 0x40) specifies use of TLS 1.3 compatibility mode (draft-22)
+// bit    6 (mask 0x40) was used to specify compat mode. Temporarily reserved.
 
 enum {
   kTLSProviderFlagMaxVersion10   = 0x01,
   kTLSProviderFlagMaxVersion11   = 0x02,
   kTLSProviderFlagMaxVersion12   = 0x03,
   kTLSProviderFlagMaxVersion13   = 0x04,
 };
 
@@ -89,21 +89,16 @@ static uint32_t getTLSProviderFlagMaxVer
   return (flags & 0x07);
 }
 
 static uint32_t getTLSProviderFlagFallbackLimit(uint32_t flags)
 {
   return (flags & 0x38) >> 3;
 }
 
-static bool getTLSProviderFlagCompatMode(uint32_t flags)
-{
-  return (flags & 0x40);
-}
-
 #define MAX_ALPN_LENGTH 255
 
 void
 getSiteKey(const nsACString& hostName, uint16_t port,
            /*out*/ nsACString& key)
 {
   key = hostName;
   key.AppendASCII(":");
@@ -2575,16 +2570,22 @@ nsSSLIOLayerSetOptions(PRFileDesc* fd, b
     }
   }
 
   SSLVersionRange range;
   if (SSL_VersionRangeGet(fd, &range) != SECSuccess) {
     return NS_ERROR_FAILURE;
   }
 
+  // Set TLS 1.3 compat mode.
+  if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE)) {
+    MOZ_LOG(gPIPNSSLog, LogLevel::Error,
+            ("[%p] nsSSLIOLayerSetOptions: Setting compat mode failed\n", fd));
+  }
+
   // setting TLS max version
   uint32_t versionFlags =
     getTLSProviderFlagMaxVersion(infoObject->GetProviderTlsFlags());
   if (versionFlags) {
     MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
             ("[%p] nsSSLIOLayerSetOptions: version flags %d\n", fd, versionFlags));
     if (versionFlags == kTLSProviderFlagMaxVersion10) {
       range.max = SSL_LIBRARY_VERSION_TLS_1_0;
@@ -2596,27 +2597,16 @@ nsSSLIOLayerSetOptions(PRFileDesc* fd, b
       range.max = SSL_LIBRARY_VERSION_TLS_1_3;
     } else {
       MOZ_LOG(gPIPNSSLog, LogLevel::Error,
               ("[%p] nsSSLIOLayerSetOptions: unknown version flags %d\n",
                fd, versionFlags));
     }
   }
 
-  // enabling alternative handshake
-  if (getTLSProviderFlagCompatMode(infoObject->GetProviderTlsFlags())) {
-    MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
-            ("[%p] nsSSLIOLayerSetOptions: Use Compatible Handshake\n", fd));
-    if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE)) {
-          MOZ_LOG(gPIPNSSLog, LogLevel::Error,
-                  ("[%p] nsSSLIOLayerSetOptions: Setting compat mode failed\n", fd));
-          // continue on default path
-    }
-  }
-
   if ((infoObject->GetProviderFlags() & nsISocketProvider::BE_CONSERVATIVE) &&
       (range.max > SSL_LIBRARY_VERSION_TLS_1_2)) {
     MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
             ("[%p] nsSSLIOLayerSetOptions: range.max limited to 1.2 due to BE_CONSERVATIVE flag\n",
              fd));
     range.max = SSL_LIBRARY_VERSION_TLS_1_2;
   }