Bug 920248: Temporarily disable TLS false start, r=keeler, r=wtc
authorBrian Smith <brian@briansmith.org>
Wed, 25 Sep 2013 12:00:36 -0700
changeset 148713 c42bd1756a79776d23d88b8af28a521bab1ad83a
parent 148712 9e259b87bdcfc1b6793f73007c48fd5f05e84451
child 148714 ccef656b29735af4322f9924b4623f9b68d207b5
push id25352
push userkwierso@gmail.com
push dateThu, 26 Sep 2013 03:27:24 +0000
treeherdermozilla-central@94548c13fd47 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler, wtc
bugs920248
milestone27.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 920248: Temporarily disable TLS false start, r=keeler, r=wtc
netwerk/base/public/security-prefs.js
security/manager/ssl/src/nsNSSComponent.cpp
--- a/netwerk/base/public/security-prefs.js
+++ b/netwerk/base/public/security-prefs.js
@@ -8,17 +8,17 @@ pref("security.enable_tls_session_ticket
 pref("security.enable_md5_signatures", false);
 
 pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", false);
 pref("security.ssl.renego_unrestricted_hosts", "");
 pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
 pref("security.ssl.require_safe_negotiation",  false);
 pref("security.ssl.warn_missing_rfc5746",  1);
 pref("security.ssl.enable_ocsp_stapling", true);
-pref("security.ssl.enable_false_start", true);
+pref("security.ssl.enable_false_start", false);
 pref("security.ssl.false_start.require-npn", true);
 pref("security.ssl.false_start.require-forward-secrecy", false);
 
 pref("security.ssl3.rsa_rc4_128_md5", true);
 pref("security.ssl3.rsa_rc4_128_sha", true);
 pref("security.ssl3.rsa_fips_des_ede3_sha", true);
 pref("security.ssl3.rsa_des_ede3_sha", true);
 pref("security.ssl3.dhe_rsa_camellia_256_sha", true);
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -1210,21 +1210,20 @@ nsNSSComponent::InitializeNSS(bool showW
       bool allowUnrestrictedRenego =
         Preferences::GetBool("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref",
                              ALLOW_UNRESTRICTED_RENEGO_DEFAULT);
       SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION,
                            allowUnrestrictedRenego ?
                              SSL_RENEGOTIATE_UNRESTRICTED :
                              SSL_RENEGOTIATE_REQUIRES_XTN);
 
-#ifdef SSL_ENABLE_FALSE_START // Requires NSS 3.12.8
-      bool falseStartEnabled = Preferences::GetBool("security.ssl.enable_false_start",
-                                                    FALSE_START_ENABLED_DEFAULT);
-      SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, falseStartEnabled);
-#endif
+//    Bug 920248: temporarily disable false start
+//    bool falseStartEnabled = Preferences::GetBool("security.ssl.enable_false_start",
+//                                                  FALSE_START_ENABLED_DEFAULT);
+      SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, false);
 
       // Disable any ciphers that NSS might have enabled by default
       for (uint16_t i = 0; i < SSL_NumImplementedCiphers; ++i)
       {
         uint16_t cipher_id = SSL_ImplementedCiphers[i];
         SSL_CipherPrefSetDefault(cipher_id, false);
       }
 
@@ -1646,22 +1645,21 @@ nsNSSComponent::Observe(nsISupports *aSu
     } else if (prefName.Equals("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref")) {
       bool allowUnrestrictedRenego =
         Preferences::GetBool("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref",
                              ALLOW_UNRESTRICTED_RENEGO_DEFAULT);
       SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION,
                            allowUnrestrictedRenego ?
                              SSL_RENEGOTIATE_UNRESTRICTED :
                              SSL_RENEGOTIATE_REQUIRES_XTN);
-#ifdef SSL_ENABLE_FALSE_START // Requires NSS 3.12.8
     } else if (prefName.Equals("security.ssl.enable_false_start")) {
-      bool falseStartEnabled = Preferences::GetBool("security.ssl.enable_false_start",
-                                                    FALSE_START_ENABLED_DEFAULT);
-      SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, falseStartEnabled);
-#endif
+//    Bug 920248: temporarily disable false start
+//    bool falseStartEnabled = Preferences::GetBool("security.ssl.enable_false_start",
+//                                                  FALSE_START_ENABLED_DEFAULT);
+      SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, false);
     } else if (prefName.Equals("security.OCSP.enabled")
                || prefName.Equals("security.CRL_download.enabled")
                || prefName.Equals("security.fresh_revocation_info.require")
                || prefName.Equals("security.missing_cert_download.enabled")
                || prefName.Equals("security.first_network_revocation_method")
                || prefName.Equals("security.OCSP.require")
                || prefName.Equals("security.ssl.enable_ocsp_stapling")) {
       MutexAutoLock lock(mutex);