Bug 1247250 - followup: fix comments to reflect the review comment. r=keeler DONTBUILD
☠☠ backed out by c56ae44b87f6 ☠ ☠
authorMasatoshi Kimura <VYV03354@nifty.ne.jp>
Fri, 12 Feb 2016 07:43:21 +0900
changeset 330570 8aded3a039f55ad950c995422fee5c880f626f01
parent 330569 374e6d0abf0ebc19e84376181276f5cc53a6914a
child 330571 8ff5276e171f6364c81b59986a915272a9c34cfb
push id10773
push userjyavenard@mozilla.com
push dateThu, 11 Feb 2016 23:46:51 +0000
reviewerskeeler
bugs1247250
milestone47.0a1
Bug 1247250 - followup: fix comments to reflect the review comment. r=keeler DONTBUILD
security/manager/ssl/nsNSSIOLayer.cpp
--- a/security/manager/ssl/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/nsNSSIOLayer.cpp
@@ -1073,18 +1073,18 @@ retryDueToTLSIntolerance(PRErrorCode err
   nsSSLIOLayerHelpers& helpers = socketInfo->SharedState().IOLayerHelpers();
 
   if (err == SSL_ERROR_UNSUPPORTED_VERSION &&
       range.min == SSL_LIBRARY_VERSION_TLS_1_0) {
     socketInfo->SetSecurityState(nsIWebProgressListener::STATE_IS_INSECURE |
                                  nsIWebProgressListener::STATE_USES_SSL_3);
   }
 
-  // NSS will return SSL_ERROR_RX_MALFORMED_SERVER_HELLO if TLS 1.3
-  // anti-downgrade detected the downgrade.
+  // NSS will return SSL_ERROR_RX_MALFORMED_SERVER_HELLO if anti-downgrade
+  // detected the downgrade.
   if (err == SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT ||
       err == SSL_ERROR_RX_MALFORMED_SERVER_HELLO) {
     // This is a clear signal that we've fallen back too many versions.  Treat
     // this as a hard failure, but forget any intolerance so that later attempts
     // don't use this version (i.e., range.max) and trigger the error again.
 
     // First, track the original cause of the version fallback.  This uses the
     // same buckets as the telemetry below, except that bucket 0 will include
@@ -2553,18 +2553,17 @@ nsSSLIOLayerSetOptions(PRFileDesc* fd, b
   // when adjustForTLSIntolerance tweaks the maximum version downward,
   // we tell the server using this SCSV so they can detect a downgrade attack
   if (range.max < maxEnabledVersion) {
     MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
            ("[%p] nsSSLIOLayerSetOptions: enabling TLS_FALLBACK_SCSV\n", fd));
     if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_FALLBACK_SCSV, true)) {
       return NS_ERROR_FAILURE;
     }
-    // tell NSS to enable the max enabled version to make TLS 1.3
-    // anti-downgrade effective
+    // tell NSS the max enabled version to make anti-downgrade effective
     if (SECSuccess != SSL_SetDowngradeCheckVersion(fd, maxEnabledVersion)) {
       return NS_ERROR_FAILURE;
     }
   }
 
   bool enabled = infoObject->SharedState().IsOCSPStaplingEnabled();
   if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_OCSP_STAPLING, enabled)) {
     return NS_ERROR_FAILURE;