| author | EKR <ekr@rtfm.com> |
| Wed, 27 Dec 2017 16:34:56 -0800 (2017-12-28) | |
| changeset 399213 | fafb731dae7c13cf972b8fa94ea584bcc9b9bbfd |
| parent 399212 | bf5aca81d31bee07f3afcb621c368cea75ac5d7d |
| child 399214 | 04c0a07b8de21300856ec89b7d118d4be9b86250 |
| child 399215 | d7a4884fbc25e2cc2895b5e115960d26b927201b |
| push id | 33248 |
| push user | apavel@mozilla.com |
| push date | Sat, 13 Jan 2018 21:49:47 +0000 (2018-01-13) |
| treeherder | mozilla-central@04c0a07b8de2 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | keeler |
| bugs | 1430268 |
| milestone | 59.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/security/manager/ssl/nsNSSIOLayer.cpp +++ b/security/manager/ssl/nsNSSIOLayer.cpp @@ -70,17 +70,17 @@ namespace { // does not impact other normal sockets not using the flags.) // // Their current definitions are: // // bits 0-2 (mask 0x07) specify the max tls version // 0 means no override 1->4 are 1.0, 1.1, 1.2, 1.3, 4->7 unused // bits 3-5 (mask 0x38) specify the tls fallback limit // 0 means no override, values 1->4 match prefs -// bit 6 (mask 0x40) specifies use of TLS 1.3 compatibility mode (draft-22) +// bit 6 (mask 0x40) was used to specify compat mode. Temporarily reserved. enum { kTLSProviderFlagMaxVersion10 = 0x01, kTLSProviderFlagMaxVersion11 = 0x02, kTLSProviderFlagMaxVersion12 = 0x03, kTLSProviderFlagMaxVersion13 = 0x04, }; @@ -89,21 +89,16 @@ static uint32_t getTLSProviderFlagMaxVer return (flags & 0x07); } static uint32_t getTLSProviderFlagFallbackLimit(uint32_t flags) { return (flags & 0x38) >> 3; } -static bool getTLSProviderFlagCompatMode(uint32_t flags) -{ - return (flags & 0x40); -} - #define MAX_ALPN_LENGTH 255 void getSiteKey(const nsACString& hostName, uint16_t port, /*out*/ nsACString& key) { key = hostName; key.AppendASCII(":"); @@ -2575,16 +2570,22 @@ nsSSLIOLayerSetOptions(PRFileDesc* fd, b } } SSLVersionRange range; if (SSL_VersionRangeGet(fd, &range) != SECSuccess) { return NS_ERROR_FAILURE; } + // Set TLS 1.3 compat mode. + if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Error, + ("[%p] nsSSLIOLayerSetOptions: Setting compat mode failed\n", fd)); + } + // setting TLS max version uint32_t versionFlags = getTLSProviderFlagMaxVersion(infoObject->GetProviderTlsFlags()); if (versionFlags) { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("[%p] nsSSLIOLayerSetOptions: version flags %d\n", fd, versionFlags)); if (versionFlags == kTLSProviderFlagMaxVersion10) { range.max = SSL_LIBRARY_VERSION_TLS_1_0; @@ -2596,27 +2597,16 @@ nsSSLIOLayerSetOptions(PRFileDesc* fd, b range.max = SSL_LIBRARY_VERSION_TLS_1_3; } else { MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("[%p] nsSSLIOLayerSetOptions: unknown version flags %d\n", fd, versionFlags)); } } - // enabling alternative handshake - if (getTLSProviderFlagCompatMode(infoObject->GetProviderTlsFlags())) { - MOZ_LOG(gPIPNSSLog, LogLevel::Debug, - ("[%p] nsSSLIOLayerSetOptions: Use Compatible Handshake\n", fd)); - if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE)) { - MOZ_LOG(gPIPNSSLog, LogLevel::Error, - ("[%p] nsSSLIOLayerSetOptions: Setting compat mode failed\n", fd)); - // continue on default path - } - } - if ((infoObject->GetProviderFlags() & nsISocketProvider::BE_CONSERVATIVE) && (range.max > SSL_LIBRARY_VERSION_TLS_1_2)) { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("[%p] nsSSLIOLayerSetOptions: range.max limited to 1.2 due to BE_CONSERVATIVE flag\n", fd)); range.max = SSL_LIBRARY_VERSION_TLS_1_2; }