Bug 1223131 - Don't remove a host from the whitelist if the version fallback was needed. r=keeler, a=ritu
authorMasatoshi Kimura <VYV03354@nifty.ne.jp>
Thu, 12 Nov 2015 07:18:37 +0900
changeset 291526 2c1d99f436dc6f573fbb1df0436604d6a02a97d4
parent 291525 c96b70c245aa65c79d335591b60b55ccc75de92b
child 291527 0c27f489c79121bf0635ec9eaeb280d10e797edb
push id8725
push usercbook@mozilla.com
push dateTue, 17 Nov 2015 07:53:37 +0000
treeherdermozilla-aurora@e68fb30045ae [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler, ritu
bugs1223131
milestone44.0a2
Bug 1223131 - Don't remove a host from the whitelist if the version fallback was needed. r=keeler, a=ritu
config/external/nss/nss.def
security/manager/ssl/nsNSSCallbacks.cpp
--- a/config/external/nss/nss.def
+++ b/config/external/nss/nss.def
@@ -663,16 +663,17 @@ SSL_SetCanFalseStartCallback
 SSL_SetNextProtoNego
 SSL_SetPKCS11PinArg
 SSL_SetSockPeerID
 SSL_SetSRTPCiphers
 SSL_SetStapledOCSPResponses
 SSL_SetURL
 SSL_SNISocketConfigHook
 SSL_VersionRangeGet
+SSL_VersionRangeGetDefault
 SSL_VersionRangeGetSupported
 SSL_VersionRangeSet
 SSL_VersionRangeSetDefault
 UTIL_SetForkState
 VFY_Begin
 VFY_CreateContext
 VFY_DestroyContext
 VFY_End
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -1240,19 +1240,23 @@ void HandshakeCallback(PRFileDesc* fd, v
   if (usesWeakCipher || renegotiationUnsafe) {
     state = nsIWebProgressListener::STATE_IS_BROKEN;
     if (usesWeakCipher) {
       state |= nsIWebProgressListener::STATE_USES_WEAK_CRYPTO;
     }
   } else {
     state = nsIWebProgressListener::STATE_IS_SECURE |
             nsIWebProgressListener::STATE_SECURE_HIGH;
-    // we know this site no longer requires a weak cipher
-    ioLayerHelpers.removeInsecureFallbackSite(infoObject->GetHostName(),
-                                              infoObject->GetPort());
+    SSLVersionRange defVersion;
+    rv = SSL_VersionRangeGetDefault(ssl_variant_stream, &defVersion);
+    if (rv == SECSuccess && versions.max >= defVersion.max) {
+      // we know this site no longer requires a weak cipher
+      ioLayerHelpers.removeInsecureFallbackSite(infoObject->GetHostName(),
+                                                infoObject->GetPort());
+    }
   }
   infoObject->SetSecurityState(state);
 
   // XXX Bug 883674: We shouldn't be formatting messages here in PSM; instead,
   // we should set a flag on the channel that higher (UI) level code can check
   // to log the warning. In particular, these warnings should go to the web
   // console instead of to the error console. Also, the warning is not
   // localized.