Backed out changeset 38a63dbeab37 (bug 733644) for suspicion of causing test_bug798843_pref.html failures.
authorRyan VanderMeulen <ryanvm@gmail.com>
Fri, 13 Sep 2013 10:47:38 -0400
changeset 147028 78e5ddda2b4cc224f2fd55026436f6a5fc59a766
parent 147027 3734bebc9bfbd96727c6694248d21e16f7e6b8df
child 147029 3cb16a4bf22752659a8a0dc8f4eb18e8ba68f75c
push id1
push userroot
push dateMon, 20 Oct 2014 17:29:22 +0000
bugs733644
milestone26.0a1
backs out38a63dbeab376cf0860c7192f8efa9456bb942a6
Backed out changeset 38a63dbeab37 (bug 733644) for suspicion of causing test_bug798843_pref.html failures.
security/manager/ssl/src/nsNSSComponent.cpp
security/manager/ssl/src/nsNSSComponent.h
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -11,17 +11,17 @@
 #include "nsNSSComponent.h"
 
 #include "CertVerifier.h"
 #include "nsCertVerificationThread.h"
 #include "nsAppDirectoryServiceDefs.h"
 #include "nsComponentManagerUtils.h"
 #include "nsDirectoryServiceDefs.h"
 #include "nsICertOverrideService.h"
-#include "mozilla/Preferences.h"
+#include "nsIPrefService.h"
 
 #ifndef MOZ_DISABLE_CRYPTOLEGACY
 #include "nsIDOMNode.h"
 #include "nsIDOMEvent.h"
 #include "nsIDOMDocument.h"
 #include "nsIDOMWindow.h"
 #include "nsIDOMWindowCollection.h"
 #include "nsIDocument.h"
@@ -866,72 +866,89 @@ static CipherPref CipherPrefs[] = {
  {"security.ssl3.rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA}, // 128-bit AES encryption with RSA and a SHA1 MAC
  {"security.ssl3.dhe_rsa_des_ede3_sha", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA}, // 168-bit Triple DES with RSA, DHE, and a SHA1 MAC
  {"security.ssl3.dhe_dss_des_ede3_sha", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA}, // 168-bit Triple DES with DSA, DHE, and a SHA1 MAC
  {"security.ssl3.rsa_seed_sha", TLS_RSA_WITH_SEED_CBC_SHA}, // SEED encryption with RSA and a SHA1 MAC
  {nullptr, 0} /* end marker */
 };
 
 static void
-setNonPkixOcspEnabled(int32_t ocspEnabled)
+setNonPkixOcspEnabled(int32_t ocspEnabled, nsIPrefBranch * pref)
 {
-  // Note: this preference is numeric vs boolean because previously we
+  // Note: this preference is numeric vs bolean because previously we
   // supported more than two options.
   if (!ocspEnabled) {
     CERT_DisableOCSPChecking(CERT_GetDefaultCertDB());
     CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
   } else {
     CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
     CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
   }
 }
 
 #define CRL_DOWNLOAD_DEFAULT false
 #define OCSP_ENABLED_DEFAULT 1
-#define OCSP_REQUIRED_DEFAULT false
+#define OCSP_REQUIRED_DEFAULT 0
 #define FRESH_REVOCATION_REQUIRED_DEFAULT false
 #define MISSING_CERT_DOWNLOAD_DEFAULT false
 #define FIRST_REVO_METHOD_DEFAULT "ocsp"
 #define USE_NSS_LIBPKIX_DEFAULT false
 #define OCSP_STAPLING_ENABLED_DEFAULT true
 
 // Caller must hold a lock on nsNSSComponent::mutex when calling this function
-void nsNSSComponent::setValidationOptions()
+void nsNSSComponent::setValidationOptions(nsIPrefBranch * pref)
 {
   nsNSSShutDownPreventionLock locker;
+  nsresult rv;
 
-  bool crlDownloading = Preferences::GetBool("security.CRL_download.enabled",
-                                             CRL_DOWNLOAD_DEFAULT);
-  // 0 = disabled, 1 = enabled
-  int32_t ocspEnabled = Preferences::GetInt("security.OCSP.enabled",
-                                            OCSP_ENABLED_DEFAULT);
+  bool crlDownloading;
+  rv = pref->GetBoolPref("security.CRL_download.enabled", &crlDownloading);
+  if (NS_FAILED(rv))
+    crlDownloading = CRL_DOWNLOAD_DEFAULT;
+  
+  int32_t ocspEnabled;
+  rv = pref->GetIntPref("security.OCSP.enabled", &ocspEnabled);
+  // 0 = disabled, 1 = enabled, 
+  // 2 = enabled with given default responder
+  if (NS_FAILED(rv))
+    ocspEnabled = OCSP_ENABLED_DEFAULT;
+
+  bool ocspRequired;
+  rv = pref->GetBoolPref("security.OCSP.require", &ocspRequired);
+  if (NS_FAILED(rv))
+    ocspRequired = OCSP_REQUIRED_DEFAULT;
 
-  bool ocspRequired = Preferences::GetBool("security.OCSP.require",
-                                           OCSP_REQUIRED_DEFAULT);
-  bool anyFreshRequired = Preferences::GetBool("security.fresh_revocation_info.require",
-                                               FRESH_REVOCATION_REQUIRED_DEFAULT);
-  bool aiaDownloadEnabled = Preferences::GetBool("security.missing_cert_download.enabled",
-                                                 MISSING_CERT_DOWNLOAD_DEFAULT);
+  bool anyFreshRequired;
+  rv = pref->GetBoolPref("security.fresh_revocation_info.require", &anyFreshRequired);
+  if (NS_FAILED(rv))
+    anyFreshRequired = FRESH_REVOCATION_REQUIRED_DEFAULT;
+  
+  bool aiaDownloadEnabled;
+  rv = pref->GetBoolPref("security.missing_cert_download.enabled", &aiaDownloadEnabled);
+  if (NS_FAILED(rv))
+    aiaDownloadEnabled = MISSING_CERT_DOWNLOAD_DEFAULT;
 
-  nsCString firstNetworkRevo =
-    Preferences::GetCString("security.first_network_revocation_method");
-  if (firstNetworkRevo.IsEmpty()) {
+  nsCString firstNetworkRevo;
+  rv = pref->GetCharPref("security.first_network_revocation_method", getter_Copies(firstNetworkRevo));
+  if (NS_FAILED(rv))
     firstNetworkRevo = FIRST_REVO_METHOD_DEFAULT;
+
+  bool ocspStaplingEnabled;
+  rv = pref->GetBoolPref("security.ssl.enable_ocsp_stapling", &ocspStaplingEnabled);
+  if (NS_FAILED(rv)) {
+    ocspStaplingEnabled = OCSP_STAPLING_ENABLED_DEFAULT;
   }
-
-  bool ocspStaplingEnabled = Preferences::GetBool("security.ssl.enable_ocsp_stapling",
-                                                  OCSP_STAPLING_ENABLED_DEFAULT);
   if (!ocspEnabled) {
     ocspStaplingEnabled = false;
   }
   PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
   PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
-
-  setNonPkixOcspEnabled(ocspEnabled);
-
+  
+  setNonPkixOcspEnabled(ocspEnabled, pref);
+  
   CERT_SetOCSPFailureMode( ocspRequired ?
                            ocspMode_FailureIsVerificationFailure
                            : ocspMode_FailureIsNotAVerificationFailure);
 
   mDefaultCertVerifier = new CertVerifier(
       aiaDownloadEnabled ? 
         CertVerifier::missing_cert_download_on : CertVerifier::missing_cert_download_off,
       crlDownloading ?
@@ -949,26 +966,26 @@ void nsNSSComponent::setValidationOption
     * let's not reuse them.
     */
   SSL_ClearSessionCache();
 }
 
 // Enable the TLS versions given in the prefs, defaulting to SSL 3.0 and
 // TLS 1.0 when the prefs aren't set or when they are set to invalid values.
 nsresult
-nsNSSComponent::setEnabledTLSVersions()
+nsNSSComponent::setEnabledTLSVersions(nsIPrefBranch * prefBranch)
 {
   // keep these values in sync with security-prefs.js and firefox.js
   static const int32_t PSM_DEFAULT_MIN_TLS_VERSION = 0;
   static const int32_t PSM_DEFAULT_MAX_TLS_VERSION = 1;
 
-  int32_t minVersion = Preferences::GetInt("security.tls.version.min",
-                                           PSM_DEFAULT_MIN_TLS_VERSION);
-  int32_t maxVersion = Preferences::GetInt("security.tls.version.max",
-                                           PSM_DEFAULT_MAX_TLS_VERSION);
+  int32_t minVersion = PSM_DEFAULT_MIN_TLS_VERSION;
+  int32_t maxVersion = PSM_DEFAULT_MAX_TLS_VERSION;
+  mPrefBranch->GetIntPref("security.tls.version.min", &minVersion);
+  mPrefBranch->GetIntPref("security.tls.version.max", &maxVersion);
 
   // 0 means SSL 3.0, 1 means TLS 1.0, 2 means TLS 1.1, etc.
   minVersion += SSL_LIBRARY_VERSION_3_0;
   maxVersion += SSL_LIBRARY_VERSION_3_0;
 
   SSLVersionRange range = { (uint16_t) minVersion, (uint16_t) maxVersion };
 
   if (minVersion != (int32_t) range.min || // prevent truncation
@@ -994,21 +1011,23 @@ nsNSSComponent::SkipOcsp()
   SECStatus rv = CERT_DisableOCSPChecking(certdb);
   return (rv == SECSuccess) ? NS_OK : NS_ERROR_FAILURE;
 }
 
 NS_IMETHODIMP
 nsNSSComponent::SkipOcspOff()
 {
   nsNSSShutDownPreventionLock locker;
-  // 0 = disabled, 1 = enabled
-  int32_t ocspEnabled = Preferences::GetInt("security.OCSP.enabled",
-                                            OCSP_ENABLED_DEFAULT);
-
-  setNonPkixOcspEnabled(ocspEnabled);
+  int32_t ocspEnabled;
+  if (NS_FAILED(mPrefBranch->GetIntPref("security.OCSP.enabled", &ocspEnabled)))
+    ocspEnabled = OCSP_ENABLED_DEFAULT;
+  // 0 = disabled, 1 = enabled, 
+  // 2 = enabled with given default responder
+  
+  setNonPkixOcspEnabled(ocspEnabled, mPrefBranch);
 
   if (ocspEnabled)
     SSL_ClearSessionCache();
 
   return NS_OK;
 }
 
 static void configureMD5(bool enabled)
@@ -1026,24 +1045,16 @@ static void configureMD5(bool enabled)
         0, NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_CMS_SIGNATURE);
     NSS_SetAlgorithmPolicy(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,
         0, NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_CMS_SIGNATURE);
     NSS_SetAlgorithmPolicy(SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC,
         0, NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_CMS_SIGNATURE);
   }
 }
 
-static const bool SUPPRESS_WARNING_PREF_DEFAULT = false;
-static const bool MD5_ENABLED_DEFAULT = false;
-static const bool TLS_SESSION_TICKETS_ENABLED_DEFAULT = true;
-static const bool REQUIRE_SAFE_NEGOTIATION_DEFAULT = false;
-static const bool ALLOW_UNRESTRICTED_RENEGO_DEFAULT = false;
-static const bool FALSE_START_ENABLED_DEFAULT = true;
-static const bool CIPHER_ENABLED_DEFAULT = false;
-
 nsresult
 nsNSSComponent::InitializeNSS(bool showWarningBox)
 {
   // Can be called both during init and profile change.
   // Needs mutex protection.
 
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsNSSComponent::InitializeNSS\n"));
 
@@ -1103,23 +1114,27 @@ nsNSSComponent::InitializeNSS(bool showW
   #endif
       if (NS_FAILED(rv)) {
         nsPSMInitPanic::SetPanic();
         return rv;
       }
     }
 
 #ifndef NSS_NO_LIBPKIX
-    globalConstFlagUsePKIXVerification =
-      Preferences::GetBool("security.use_libpkix_verification", USE_NSS_LIBPKIX_DEFAULT);
+    rv = mPrefBranch->GetBoolPref("security.use_libpkix_verification", &globalConstFlagUsePKIXVerification);
+    if (NS_FAILED(rv))
+      globalConstFlagUsePKIXVerification = USE_NSS_LIBPKIX_DEFAULT;
 #endif
 
-    bool suppressWarningPref =
-      Preferences::GetBool("security.suppress_nss_rw_impossible_warning",
-                           SUPPRESS_WARNING_PREF_DEFAULT);
+    bool supress_warning_preference = false;
+    rv = mPrefBranch->GetBoolPref("security.suppress_nss_rw_impossible_warning", &supress_warning_preference);
+
+    if (NS_FAILED(rv)) {
+      supress_warning_preference = false;
+    }
 
     // init phase 2, init calls to NSS library
 
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("NSS Initialization beginning\n"));
 
     // The call to ConfigureInternalPKCS11Token needs to be done before NSS is initialized, 
     // but affects only static data.
     // If we could assume i18n will not change between profiles, one call per application
@@ -1135,17 +1150,17 @@ nsNSSComponent::InitializeNSS(bool showW
     // "/usr/lib/nss/libnssckbi.so".
     uint32_t init_flags = NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE;
     SECStatus init_rv = ::NSS_Initialize(profileStr.get(), "", "",
                                          SECMOD_DB, init_flags);
 
     if (init_rv != SECSuccess) {
       PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("can not init NSS r/w in %s\n", profileStr.get()));
 
-      if (suppressWarningPref) {
+      if (supress_warning_preference) {
         which_nss_problem = problem_none;
       }
       else {
         which_nss_problem = problem_no_rw;
       }
 
       // try to init r/o
       init_flags |= NSS_INIT_READONLY;
@@ -1173,82 +1188,78 @@ nsNSSComponent::InitializeNSS(bool showW
 
       ::NSS_SetDomesticPolicy();
 
       PK11_SetPasswordFunc(PK11PasswordPrompt);
 
       SharedSSLState::GlobalInit();
 
       // Register an observer so we can inform NSS when these prefs change
-      Preferences::AddStrongObserver(this, "security.");
+      mPrefBranch->AddObserver("security.", this, false);
 
       SSL_OptionSetDefault(SSL_ENABLE_SSL2, false);
       SSL_OptionSetDefault(SSL_V2_COMPATIBLE_HELLO, false);
 
-      rv = setEnabledTLSVersions();
+      rv = setEnabledTLSVersions(mPrefBranch);
       if (NS_FAILED(rv)) {
         nsPSMInitPanic::SetPanic();
         return NS_ERROR_UNEXPECTED;
       }
 
-      bool md5Enabled = Preferences::GetBool("security.enable_md5_signatures",
-                                             MD5_ENABLED_DEFAULT);
-      configureMD5(md5Enabled);
+      bool enabled = true; // XXX: see bug 733644
+
+      mPrefBranch->GetBoolPref("security.enable_md5_signatures", &enabled);
+      configureMD5(enabled);
 
       // Configure TLS session tickets
-      bool tlsSessionTicketsEnabled =
-        Preferences::GetBool("security.enable_tls_session_tickets",
-                             TLS_SESSION_TICKETS_ENABLED_DEFAULT);
-      SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, tlsSessionTicketsEnabled);
+      mPrefBranch->GetBoolPref("security.enable_tls_session_tickets", &enabled);
+      SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, enabled);
+
+      mPrefBranch->GetBoolPref("security.ssl.require_safe_negotiation", &enabled);
+      SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, enabled);
 
-      bool requireSafeNegotiation =
-        Preferences::GetBool("security.ssl.require_safe_negotiation",
-                             REQUIRE_SAFE_NEGOTIATION_DEFAULT);
-      SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, requireSafeNegotiation);
-
-      bool allowUnrestrictedRenego =
-        Preferences::GetBool("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref",
-                             ALLOW_UNRESTRICTED_RENEGO_DEFAULT);
-      SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION,
-                           allowUnrestrictedRenego ?
-                             SSL_RENEGOTIATE_UNRESTRICTED :
-                             SSL_RENEGOTIATE_REQUIRES_XTN);
+      mPrefBranch->GetBoolPref(
+        "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", 
+        &enabled);
+      SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION, 
+        enabled ? SSL_RENEGOTIATE_UNRESTRICTED : SSL_RENEGOTIATE_REQUIRES_XTN);
 
 #ifdef SSL_ENABLE_FALSE_START // Requires NSS 3.12.8
-      bool falseStartEnabled = Preferences::GetBool("security.ssl.enable_false_start",
-                                                    FALSE_START_ENABLED_DEFAULT);
-      SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, falseStartEnabled);
+      mPrefBranch->GetBoolPref("security.ssl.enable_false_start", &enabled);
+      SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, enabled);
 #endif
 
       // Disable any ciphers that NSS might have enabled by default
       for (uint16_t i = 0; i < SSL_NumImplementedCiphers; ++i)
       {
         uint16_t cipher_id = SSL_ImplementedCiphers[i];
         SSL_CipherPrefSetDefault(cipher_id, false);
       }
 
-      bool cipherEnabled;
       // Now only set SSL/TLS ciphers we knew about at compile time
       for (CipherPref* cp = CipherPrefs; cp->pref; ++cp) {
-        cipherEnabled = Preferences::GetBool(cp->pref, CIPHER_ENABLED_DEFAULT);
-        SSL_CipherPrefSetDefault(cp->id, cipherEnabled);
+        rv = mPrefBranch->GetBoolPref(cp->pref, &enabled);
+        if (NS_FAILED(rv))
+          enabled = false;
+
+        SSL_CipherPrefSetDefault(cp->id, enabled);
       }
 
       // Enable ciphers for PKCS#12
       SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1);
       SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1);
       SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, 1);
       SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1);
       SEC_PKCS12EnableCipher(PKCS12_DES_56, 1);
       SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1);
       SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1);
       PORT_SetUCS2_ASCIIConversionFunction(pip_ucs2_ascii_conversion_fn);
 
       // dynamic options from prefs
-      setValidationOptions();
+      setValidationOptions(mPrefBranch);
 
       mHttpForNSS.initTable();
       mHttpForNSS.registerHttpClient();
 
       InstallLoadableRoots();
 
 #ifndef MOZ_DISABLE_CRYPTOLEGACY
       LaunchSmartCardThreads();
@@ -1284,17 +1295,19 @@ nsNSSComponent::ShutdownNSS()
   MutexAutoLock lock(mutex);
 
   if (mNSSInitialized) {
     mNSSInitialized = false;
 
     PK11_SetPasswordFunc((PK11PasswordFunc)nullptr);
     mHttpForNSS.unregisterHttpClient();
 
-    Preferences::RemoveObserver(this, "security.");
+    if (mPrefBranch) {
+      mPrefBranch->RemoveObserver("security.", this);
+    }
 
 #ifndef MOZ_DISABLE_CRYPTOLEGACY
     ShutdownSmartCardThreads();
 #endif
     SSL_ClearSessionCache();
     UnloadLoadableRoots();
 #ifndef NSS_NO_LIBPKIX
     CleanupIdentityInfo();
@@ -1305,19 +1318,17 @@ nsNSSComponent::ShutdownNSS()
     if (SECSuccess != ::NSS_Shutdown()) {
       PR_LOG(gPIPNSSLog, PR_LOG_ALWAYS, ("NSS SHUTDOWN FAILURE\n"));
     }
     else {
       PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("NSS shutdown =====>> OK <<=====\n"));
     }
   }
 }
-
-static const bool SEND_LM_DEFAULT = false;
-
+ 
 NS_IMETHODIMP
 nsNSSComponent::Init()
 {
   // No mutex protection.
   // Assume Init happens before any concurrency on "this" can start.
 
   nsresult rv = NS_OK;
 
@@ -1343,18 +1354,23 @@ nsNSSComponent::Init()
     NS_NAMED_LITERAL_STRING(dummy_name, "dummy");
     nsXPIDLString result;
     mPIPNSSBundle->GetStringFromName(dummy_name.get(),
                                      getter_Copies(result));
     mNSSErrorsBundle->GetStringFromName(dummy_name.get(),
                                         getter_Copies(result));
   }
 
-  bool sendLM = Preferences::GetBool("network.ntlm.send-lm-response",
-                                     SEND_LM_DEFAULT);
+  if (!mPrefBranch) {
+    mPrefBranch = do_GetService(NS_PREFSERVICE_CONTRACTID);
+    NS_ASSERTION(mPrefBranch, "Unable to get pref service");
+  }
+
+  bool sendLM = false;
+  mPrefBranch->GetBoolPref("network.ntlm.send-lm-response", &sendLM);
   nsNTLMAuthModule::SetSendLM(sendLM);
 
   // Do that before NSS init, to make sure we won't get unloaded.
   RegisterObservers();
 
   rv = InitializeNSS(true); // ok to show a warning box on failure
   if (NS_FAILED(rv)) {
     PR_LOG(gPIPNSSLog, PR_LOG_ERROR, ("Unable to Initialize NSS.\n"));
@@ -1614,71 +1630,61 @@ nsNSSComponent::Observe(nsISupports *aSu
       if (bec) {
         bec->DontForward();
       }
     }
   }
   else if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) { 
     nsNSSShutDownPreventionLock locker;
     bool clearSessionCache = false;
+    bool enabled;
     NS_ConvertUTF16toUTF8  prefName(someData);
 
     if (prefName.Equals("security.tls.version.min") ||
         prefName.Equals("security.tls.version.max")) {
-      (void) setEnabledTLSVersions();
+      (void) setEnabledTLSVersions(mPrefBranch);
       clearSessionCache = true;
     } else if (prefName.Equals("security.enable_md5_signatures")) {
-      bool md5Enabled = Preferences::GetBool("security.enable_md5_signatures",
-                                             MD5_ENABLED_DEFAULT);
-      configureMD5(md5Enabled);
+      mPrefBranch->GetBoolPref("security.enable_md5_signatures", &enabled);
+      configureMD5(enabled);
       clearSessionCache = true;
     } else if (prefName.Equals("security.enable_tls_session_tickets")) {
-      bool tlsSessionTicketsEnabled =
-        Preferences::GetBool("security.enable_tls_session_tickets",
-                             TLS_SESSION_TICKETS_ENABLED_DEFAULT);
-      SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, tlsSessionTicketsEnabled);
+      mPrefBranch->GetBoolPref("security.enable_tls_session_tickets", &enabled);
+      SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, enabled);
     } else if (prefName.Equals("security.ssl.require_safe_negotiation")) {
-      bool requireSafeNegotiation =
-        Preferences::GetBool("security.ssl.require_safe_negotiation",
-                             REQUIRE_SAFE_NEGOTIATION_DEFAULT);
-      SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, requireSafeNegotiation);
+      mPrefBranch->GetBoolPref("security.ssl.require_safe_negotiation", &enabled);
+      SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, enabled);
     } else if (prefName.Equals("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref")) {
-      bool allowUnrestrictedRenego =
-        Preferences::GetBool("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref",
-                             ALLOW_UNRESTRICTED_RENEGO_DEFAULT);
-      SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION,
-                           allowUnrestrictedRenego ?
-                             SSL_RENEGOTIATE_UNRESTRICTED :
-                             SSL_RENEGOTIATE_REQUIRES_XTN);
+      mPrefBranch->GetBoolPref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", &enabled);
+      SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION, 
+        enabled ? SSL_RENEGOTIATE_UNRESTRICTED : SSL_RENEGOTIATE_REQUIRES_XTN);
 #ifdef SSL_ENABLE_FALSE_START // Requires NSS 3.12.8
     } else if (prefName.Equals("security.ssl.enable_false_start")) {
-      bool falseStartEnabled = Preferences::GetBool("security.ssl.enable_false_start",
-                                                    FALSE_START_ENABLED_DEFAULT);
-      SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, falseStartEnabled);
+      mPrefBranch->GetBoolPref("security.ssl.enable_false_start", &enabled);
+      SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, enabled);
 #endif
     } else if (prefName.Equals("security.OCSP.enabled")
                || prefName.Equals("security.CRL_download.enabled")
                || prefName.Equals("security.fresh_revocation_info.require")
                || prefName.Equals("security.missing_cert_download.enabled")
                || prefName.Equals("security.first_network_revocation_method")
                || prefName.Equals("security.OCSP.require")
                || prefName.Equals("security.ssl.enable_ocsp_stapling")) {
       MutexAutoLock lock(mutex);
-      setValidationOptions();
+      setValidationOptions(mPrefBranch);
     } else if (prefName.Equals("network.ntlm.send-lm-response")) {
-      bool sendLM = Preferences::GetBool("network.ntlm.send-lm-response",
-                                         SEND_LM_DEFAULT);
+      bool sendLM = false;
+      mPrefBranch->GetBoolPref("network.ntlm.send-lm-response", &sendLM);
       nsNTLMAuthModule::SetSendLM(sendLM);
     } else {
       /* Look through the cipher table and set according to pref setting */
-      bool cipherEnabled;
       for (CipherPref* cp = CipherPrefs; cp->pref; ++cp) {
         if (prefName.Equals(cp->pref)) {
-          cipherEnabled = Preferences::GetBool(cp->pref, CIPHER_ENABLED_DEFAULT);
-          SSL_CipherPrefSetDefault(cp->id, cipherEnabled);
+          mPrefBranch->GetBoolPref(cp->pref, &enabled);
+          SSL_CipherPrefSetDefault(cp->id, enabled);
           clearSessionCache = true;
           break;
         }
       }
     }
     if (clearSessionCache)
       SSL_ClearSessionCache();
   }
--- a/security/manager/ssl/src/nsNSSComponent.h
+++ b/security/manager/ssl/src/nsNSSComponent.h
@@ -8,16 +8,17 @@
 #define _nsNSSComponent_h_
 
 #include "mozilla/Mutex.h"
 #include "mozilla/RefPtr.h"
 #include "nsCOMPtr.h"
 #include "nsISignatureVerifier.h"
 #include "nsIEntropyCollector.h"
 #include "nsIStringBundle.h"
+#include "nsIPrefBranch.h"
 #include "nsIObserver.h"
 #include "nsIObserverService.h"
 #ifndef MOZ_DISABLE_CRYPTOLEGACY
 #endif
 #include "nsINSSErrorsService.h"
 #include "nsNSSCallbacks.h"
 #include "ScopedNSSTypes.h"
 #include "nsNSSHelper.h"
@@ -179,34 +180,35 @@ public:
 private:
 
   nsresult InitializeNSS(bool showWarningBox);
   void ShutdownNSS();
 
   void InstallLoadableRoots();
   void UnloadLoadableRoots();
   void CleanupIdentityInfo();
-  void setValidationOptions();
-  nsresult setEnabledTLSVersions();
+  void setValidationOptions(nsIPrefBranch * pref);
+  nsresult setEnabledTLSVersions(nsIPrefBranch * pref);
   nsresult InitializePIPNSSBundle();
   nsresult ConfigureInternalPKCS11Token();
   nsresult RegisterObservers();
   nsresult DeregisterObservers();
 
   // Methods that we use to handle the profile change notifications (and to
   // synthesize a full profile change when we're just doing a profile startup):
   void DoProfileChangeNetTeardown();
   void DoProfileChangeTeardown(nsISupports* aSubject);
   void DoProfileBeforeChange(nsISupports* aSubject);
   void DoProfileChangeNetRestore();
   
   Mutex mutex;
   
   nsCOMPtr<nsIStringBundle> mPIPNSSBundle;
   nsCOMPtr<nsIStringBundle> mNSSErrorsBundle;
+  nsCOMPtr<nsIPrefBranch> mPrefBranch;
   bool mNSSInitialized;
   bool mObserversRegistered;
   static int mInstanceCount;
   nsNSSShutDownList *mShutdownObjectList;
 #ifndef MOZ_DISABLE_CRYPTOLEGACY
   SmartCardThreadList *mThreadList;
 #endif
   bool mIsNetworkDown;