Bug 1197644 - Remove the security.ssl.warn_missing_rfc5746 pref. r=keeler
--- a/netwerk/base/security-prefs.js
+++ b/netwerk/base/security-prefs.js
@@ -11,17 +11,16 @@ pref("security.tls.insecure_fallback_hos
#ifdef RELEASE_BUILD
pref("security.tls.unrestricted_rc4_fallback", true);
#else
pref("security.tls.unrestricted_rc4_fallback", false);
#endif
pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
pref("security.ssl.require_safe_negotiation", false);
-pref("security.ssl.warn_missing_rfc5746", 1);
pref("security.ssl.enable_ocsp_stapling", true);
pref("security.ssl.enable_false_start", true);
pref("security.ssl.false_start.require-npn", false);
pref("security.ssl.enable_npn", true);
pref("security.ssl.enable_alpn", true);
pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true);
pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true);
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -1241,18 +1241,17 @@ void HandshakeCallback(PRFileDesc* fd, v
}
infoObject->SetSecurityState(state);
// XXX Bug 883674: We shouldn't be formatting messages here in PSM; instead,
// we should set a flag on the channel that higher (UI) level code can check
// to log the warning. In particular, these warnings should go to the web
// console instead of to the error console. Also, the warning is not
// localized.
- if (!siteSupportsSafeRenego &&
- ioLayerHelpers.getWarnLevelMissingRFC5746() > 0) {
+ if (!siteSupportsSafeRenego) {
nsXPIDLCString hostName;
infoObject->GetHostName(getter_Copies(hostName));
nsAutoString msg;
msg.Append(NS_ConvertASCIItoUTF16(hostName));
msg.AppendLiteral(" : server does not support RFC 5746, see CVE-2009-3555");
nsContentUtils::LogSimpleConsoleError(msg, "SSL");
--- a/security/manager/ssl/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/nsNSSIOLayer.cpp
@@ -1314,17 +1314,16 @@ nsSSLIOLayerPoll(PRFileDesc* fd, int16_t
int16_t result = fd->lower->methods->poll(fd->lower, in_flags, out_flags);
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("[%p] poll SSL socket returned %d\n",
(void*) fd, (int) result));
return result;
}
nsSSLIOLayerHelpers::nsSSLIOLayerHelpers()
: mTreatUnsafeNegotiationAsBroken(false)
- , mWarnLevelMissingRFC5746(1)
, mTLSIntoleranceInfo()
, mFalseStartRequireNPN(false)
, mUseStaticFallbackList(true)
, mUnrestrictedRC4Fallback(false)
, mVersionFallbackLimit(SSL_LIBRARY_VERSION_TLS_1_0)
, mutex("nsSSLIOLayerHelpers.mutex")
{
}
@@ -1528,20 +1527,16 @@ PrefObserver::Observe(nsISupports* aSubj
{
if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) {
NS_ConvertUTF16toUTF8 prefName(someData);
if (prefName.EqualsLiteral("security.ssl.treat_unsafe_negotiation_as_broken")) {
bool enabled;
Preferences::GetBool("security.ssl.treat_unsafe_negotiation_as_broken", &enabled);
mOwner->setTreatUnsafeNegotiationAsBroken(enabled);
- } else if (prefName.EqualsLiteral("security.ssl.warn_missing_rfc5746")) {
- int32_t warnLevel = 1;
- Preferences::GetInt("security.ssl.warn_missing_rfc5746", &warnLevel);
- mOwner->setWarnLevelMissingRFC5746(warnLevel);
} else if (prefName.EqualsLiteral("security.ssl.false_start.require-npn")) {
mOwner->mFalseStartRequireNPN =
Preferences::GetBool("security.ssl.false_start.require-npn",
FALSE_START_REQUIRE_NPN_DEFAULT);
} else if (prefName.EqualsLiteral("security.tls.version.fallback-limit")) {
mOwner->loadVersionFallbackLimit();
} else if (prefName.EqualsLiteral("security.tls.insecure_fallback_hosts")) {
nsCString insecureFallbackHosts;
@@ -1579,18 +1574,16 @@ PlaintextRecv(PRFileDesc* fd, void* buf,
nsSSLIOLayerHelpers::~nsSSLIOLayerHelpers()
{
// mPrefObserver will only be set if this->Init was called. The GTest tests
// do not call Init.
if (mPrefObserver) {
Preferences::RemoveObserver(mPrefObserver,
"security.ssl.treat_unsafe_negotiation_as_broken");
Preferences::RemoveObserver(mPrefObserver,
- "security.ssl.warn_missing_rfc5746");
- Preferences::RemoveObserver(mPrefObserver,
"security.ssl.false_start.require-npn");
Preferences::RemoveObserver(mPrefObserver,
"security.tls.version.fallback-limit");
Preferences::RemoveObserver(mPrefObserver,
"security.tls.insecure_fallback_hosts");
Preferences::RemoveObserver(mPrefObserver,
"security.tls.unrestricted_rc4_fallback");
}
@@ -1640,38 +1633,32 @@ nsSSLIOLayerHelpers::Init()
nsSSLPlaintextLayerMethods = *PR_GetDefaultIOMethods();
nsSSLPlaintextLayerMethods.recv = PlaintextRecv;
}
bool enabled = false;
Preferences::GetBool("security.ssl.treat_unsafe_negotiation_as_broken", &enabled);
setTreatUnsafeNegotiationAsBroken(enabled);
- int32_t warnLevel = 1;
- Preferences::GetInt("security.ssl.warn_missing_rfc5746", &warnLevel);
- setWarnLevelMissingRFC5746(warnLevel);
-
mFalseStartRequireNPN =
Preferences::GetBool("security.ssl.false_start.require-npn",
FALSE_START_REQUIRE_NPN_DEFAULT);
loadVersionFallbackLimit();
nsCString insecureFallbackHosts;
Preferences::GetCString("security.tls.insecure_fallback_hosts", &insecureFallbackHosts);
setInsecureFallbackSites(insecureFallbackHosts);
mUseStaticFallbackList =
Preferences::GetBool("security.tls.insecure_fallback_hosts.use_static_list", true);
mUnrestrictedRC4Fallback =
Preferences::GetBool("security.tls.unrestricted_rc4_fallback", false);
mPrefObserver = new PrefObserver(this);
Preferences::AddStrongObserver(mPrefObserver,
"security.ssl.treat_unsafe_negotiation_as_broken");
Preferences::AddStrongObserver(mPrefObserver,
- "security.ssl.warn_missing_rfc5746");
- Preferences::AddStrongObserver(mPrefObserver,
"security.ssl.false_start.require-npn");
Preferences::AddStrongObserver(mPrefObserver,
"security.tls.version.fallback-limit");
Preferences::AddStrongObserver(mPrefObserver,
"security.tls.insecure_fallback_hosts");
Preferences::AddStrongObserver(mPrefObserver,
"security.tls.unrestricted_rc4_fallback");
return NS_OK;
@@ -1774,30 +1761,16 @@ nsSSLIOLayerHelpers::setTreatUnsafeNegot
bool
nsSSLIOLayerHelpers::treatUnsafeNegotiationAsBroken()
{
MutexAutoLock lock(mutex);
return mTreatUnsafeNegotiationAsBroken;
}
-void
-nsSSLIOLayerHelpers::setWarnLevelMissingRFC5746(int32_t level)
-{
- MutexAutoLock lock(mutex);
- mWarnLevelMissingRFC5746 = level;
-}
-
-int32_t
-nsSSLIOLayerHelpers::getWarnLevelMissingRFC5746()
-{
- MutexAutoLock lock(mutex);
- return mWarnLevelMissingRFC5746;
-}
-
nsresult
nsSSLIOLayerNewSocket(int32_t family,
const char* host,
int32_t port,
const char* proxyHost,
int32_t proxyPort,
PRFileDesc** fd,
nsISupports** info,
--- a/security/manager/ssl/nsNSSIOLayer.h
+++ b/security/manager/ssl/nsNSSIOLayer.h
@@ -179,22 +179,19 @@ public:
static bool nsSSLIOLayerInitialized;
static PRDescIdentity nsSSLIOLayerIdentity;
static PRDescIdentity nsSSLPlaintextLayerIdentity;
static PRIOMethods nsSSLIOLayerMethods;
static PRIOMethods nsSSLPlaintextLayerMethods;
bool mTreatUnsafeNegotiationAsBroken;
- int32_t mWarnLevelMissingRFC5746;
void setTreatUnsafeNegotiationAsBroken(bool broken);
bool treatUnsafeNegotiationAsBroken();
- void setWarnLevelMissingRFC5746(int32_t level);
- int32_t getWarnLevelMissingRFC5746();
private:
struct IntoleranceEntry
{
uint16_t tolerant;
uint16_t intolerant;
PRErrorCode intoleranceReason;
StrongCipherStatus strongCipherStatus;