Bug 583908 - Enable TLS false start in Mozilla. r/a=sayrer. (CLOSED TREE)
authorWan-Teh Chang <wtc@google.com>
Tue, 03 Aug 2010 23:36:53 -0700
changeset 48797 79aa28daf1f469a02207c26257cbe7ba4c23e184
parent 48796 9bad7aab73d80cc348cec81998022c20557f3e5b
child 48823 c761f8e85b8c890441f16d4f92c2c4bbbfb19f55
push id14824
push userrsayre@mozilla.com
push dateWed, 04 Aug 2010 06:37:15 +0000
treeherdermozilla-central@79aa28daf1f4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs583908
milestone2.0b3pre
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 583908 - Enable TLS false start in Mozilla. r/a=sayrer. (CLOSED TREE)
netwerk/base/public/security-prefs.js
security/nss/lib/ssl/sslauth.c
security/nss/lib/ssl/sslreveal.c
--- a/netwerk/base/public/security-prefs.js
+++ b/netwerk/base/public/security-prefs.js
@@ -3,17 +3,17 @@ pref("security.enable_ssl3",            
 pref("security.enable_tls",		 true);
 pref("security.enable_tls_session_tickets", true);
 
 pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", false);
 pref("security.ssl.renego_unrestricted_hosts", "");
 pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
 pref("security.ssl.require_safe_negotiation",  false);
 pref("security.ssl.warn_missing_rfc5746",  1);
-pref("security.ssl.enable_false_start", false);
+pref("security.ssl.enable_false_start", true);
 
 pref("security.ssl2.rc4_128", false);
 pref("security.ssl2.rc2_128", false);
 pref("security.ssl2.des_ede3_192", false);
 pref("security.ssl2.des_64", false);
 pref("security.ssl2.rc4_40", false);
 pref("security.ssl2.rc2_40", false);
 pref("security.ssl3.rsa_rc4_128_md5", true);
--- a/security/nss/lib/ssl/sslauth.c
+++ b/security/nss/lib/ssl/sslauth.c
@@ -87,16 +87,17 @@ SSL_LocalCertificate(PRFileDesc *fd)
 /* NEED LOCKS IN HERE.  */
 SECStatus
 SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,
 		   char **ip, char **sp)
 {
     sslSocket *ss;
     const char *cipherName;
     PRBool isDes = PR_FALSE;
+    PRBool enoughFirstHsDone = PR_FALSE;
 
     ss = ssl_FindSocket(fd);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus",
 		 SSL_GETPID(), fd));
 	return SECFailure;
     }
 
@@ -104,18 +105,24 @@ SSL_SecurityStatus(PRFileDesc *fd, int *
     if (kp0) *kp0 = 0;
     if (kp1) *kp1 = 0;
     if (ip) *ip = 0;
     if (sp) *sp = 0;
     if (op) {
 	*op = SSL_SECURITY_STATUS_OFF;
     }
 
-    if (ss->opt.useSecurity && ss->firstHsDone) {
+    if (ss->firstHsDone) {
+	enoughFirstHsDone = PR_TRUE;
+    } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
+	       ssl3_CanFalseStart(ss)) {
+	enoughFirstHsDone = PR_TRUE;
+    }
 
+    if (ss->opt.useSecurity && enoughFirstHsDone) {
 	if (ss->version < SSL_LIBRARY_VERSION_3_0) {
 	    cipherName = ssl_cipherName[ss->sec.cipherType];
 	} else {
 	    cipherName = ssl3_cipherName[ss->sec.cipherType];
 	}
 	PORT_Assert(cipherName);
 	if (cipherName) {
             if (PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE;
--- a/security/nss/lib/ssl/sslreveal.c
+++ b/security/nss/lib/ssl/sslreveal.c
@@ -106,24 +106,36 @@ SSL_RevealURL(PRFileDesc * fd)
 SECStatus
 SSL_HandshakeNegotiatedExtension(PRFileDesc * socket, 
                                  SSLExtensionType extId,
                                  PRBool *pYes)
 {
   /* some decisions derived from SSL_GetChannelInfo */
   sslSocket * sslsocket = NULL;
   SECStatus rv = SECFailure;
+  PRBool enoughFirstHsDone = PR_FALSE;
 
   if (!pYes)
     return rv;
 
   sslsocket = ssl_FindSocket(socket);
+  if (!sslsocket) {
+    SSL_DBG(("%d: SSL[%d]: bad socket in HandshakeNegotiatedExtension",
+             SSL_GETPID(), socket));
+    return rv;
+  }
+
+  if (sslsocket->firstHsDone) {
+    enoughFirstHsDone = PR_TRUE;
+  } else if (sslsocket->ssl3.initialized && ssl3_CanFalseStart(sslsocket)) {
+    enoughFirstHsDone = PR_TRUE;
+  }
 
   /* according to public API SSL_GetChannelInfo, this doesn't need a lock */
-  if (sslsocket && sslsocket->opt.useSecurity && sslsocket->firstHsDone) {
+  if (sslsocket->opt.useSecurity && enoughFirstHsDone) {
     if (sslsocket->ssl3.initialized) { /* SSL3 and TLS */
       /* now we know this socket went through ssl3_InitState() and
        * ss->xtnData got initialized, which is the only member accessed by
        * ssl3_ExtensionNegotiated();
        * Member xtnData appears to get accessed in functions that handle
        * the handshake (hello messages and extension sending),
        * therefore the handshake lock should be sufficient.
        */