Bug 1250582 - Remove SSL_FALLBACK_LIMIT_REACHED telemetry. r=keeler
authorMasatoshi Kimura <VYV03354@nifty.ne.jp>
Sat, 16 Jul 2016 14:16:06 +0900
changeset 330521 8e994cb3fb30be363fe83ecfb09b86165035c919
parent 330520 649120d26209ce3787aff18222f387ce73127694
child 330522 c2c393c85d041b196936a0dd53aff0db1c58d516
push id9858
push userjlund@mozilla.com
push dateMon, 01 Aug 2016 14:37:10 +0000
treeherdermozilla-aurora@203106ef6cb6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1250582, 1084025
milestone50.0a1
Bug 1250582 - Remove SSL_FALLBACK_LIMIT_REACHED telemetry. r=keeler Bug 1084025 added this telemetry to measure the impact of bumping the fallback limit. But we already bumped the fallback limit to TLS 1.2 long before. We will not need this kind of telemetry until we bump the fallback limit to TLS 1.3 that will not happen in the near future. So let's just remove wasting resource for now. MozReview-Commit-ID: 22o8FirlYql
security/manager/ssl/nsNSSIOLayer.cpp
security/manager/ssl/nsNSSIOLayer.h
toolkit/components/telemetry/Histograms.json
toolkit/components/telemetry/histogram-whitelists.json
--- a/security/manager/ssl/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/nsNSSIOLayer.cpp
@@ -688,42 +688,38 @@ nsSSLIOLayerHelpers::rememberTolerantAtV
     entry.strongCipherStatus = StrongCiphersWorked;
   }
 
   entry.AssertInvariant();
 
   mTLSIntoleranceInfo.Put(key, entry);
 }
 
-uint16_t
+void
 nsSSLIOLayerHelpers::forgetIntolerance(const nsACString& hostName,
                                        int16_t port)
 {
   nsCString key;
   getSiteKey(hostName, port, key);
 
   MutexAutoLock lock(mutex);
 
-  uint16_t tolerant = 0;
   IntoleranceEntry entry;
   if (mTLSIntoleranceInfo.Get(key, &entry)) {
     entry.AssertInvariant();
 
-    tolerant = entry.tolerant;
     entry.intolerant = 0;
     entry.intoleranceReason = 0;
     if (entry.strongCipherStatus != StrongCiphersWorked) {
       entry.strongCipherStatus = StrongCipherStatusUnknown;
     }
 
     entry.AssertInvariant();
     mTLSIntoleranceInfo.Put(key, entry);
   }
-
-  return tolerant;
 }
 
 bool
 nsSSLIOLayerHelpers::fallbackLimitReached(const nsACString& hostName,
                                           uint16_t intolerant)
 {
   if (isInsecureFallbackSite(hostName)) {
     return intolerant <= SSL_LIBRARY_VERSION_TLS_1_0;
@@ -736,59 +732,17 @@ bool
 nsSSLIOLayerHelpers::rememberIntolerantAtVersion(const nsACString& hostName,
                                                  int16_t port,
                                                  uint16_t minVersion,
                                                  uint16_t intolerant,
                                                  PRErrorCode intoleranceReason)
 {
   if (intolerant <= minVersion || fallbackLimitReached(hostName, intolerant)) {
     // We can't fall back any further. Assume that intolerance isn't the issue.
-    uint32_t tolerant = forgetIntolerance(hostName, port);
-    // If we know the server is tolerant at the version, we don't have to
-    // gather the telemetry.
-    if (intolerant <= tolerant) {
-      return false;
-    }
-
-    // This telemetry doesn't support TLS 1.3
-    // See bug 1250582
-    uint32_t fallbackLimitBucket = 0;
-    // added if the version has reached the min version.
-    if (intolerant <= minVersion) {
-      switch (minVersion) {
-        case SSL_LIBRARY_VERSION_TLS_1_0:
-          fallbackLimitBucket += 1;
-          break;
-        case SSL_LIBRARY_VERSION_TLS_1_1:
-          fallbackLimitBucket += 2;
-          break;
-        case SSL_LIBRARY_VERSION_TLS_1_2:
-          fallbackLimitBucket += 3;
-          break;
-      }
-    }
-    // added if the version has reached the fallback limit.
-    if (intolerant <= mVersionFallbackLimit) {
-      switch (mVersionFallbackLimit) {
-        case SSL_LIBRARY_VERSION_TLS_1_0:
-          fallbackLimitBucket += 4;
-          break;
-        case SSL_LIBRARY_VERSION_TLS_1_1:
-          fallbackLimitBucket += 8;
-          break;
-        case SSL_LIBRARY_VERSION_TLS_1_2:
-          fallbackLimitBucket += 12;
-          break;
-      }
-    }
-    if (fallbackLimitBucket) {
-      Telemetry::Accumulate(Telemetry::SSL_FALLBACK_LIMIT_REACHED,
-                            fallbackLimitBucket);
-    }
-
+    forgetIntolerance(hostName, port);
     return false;
   }
 
   nsCString key;
   getSiteKey(hostName, port, key);
 
   MutexAutoLock lock(mutex);
 
--- a/security/manager/ssl/nsNSSIOLayer.h
+++ b/security/manager/ssl/nsNSSIOLayer.h
@@ -212,19 +212,17 @@ public:
   void rememberTolerantAtVersion(const nsACString& hostname, int16_t port,
                                  uint16_t tolerant);
   bool fallbackLimitReached(const nsACString& hostname, uint16_t intolerant);
   bool rememberIntolerantAtVersion(const nsACString& hostname, int16_t port,
                                    uint16_t intolerant, uint16_t minVersion,
                                    PRErrorCode intoleranceReason);
   bool rememberStrongCiphersFailed(const nsACString& hostName, int16_t port,
                                    PRErrorCode intoleranceReason);
-  // returns the known tolerant version
-  // or 0 if there is no known tolerant version
-  uint16_t forgetIntolerance(const nsACString& hostname, int16_t port);
+  void forgetIntolerance(const nsACString& hostname, int16_t port);
   void adjustForTLSIntolerance(const nsACString& hostname, int16_t port,
                                /*in/out*/ SSLVersionRange& range,
                                /*out*/ StrongCipherStatus& strongCipherStatus);
   PRErrorCode getIntoleranceReason(const nsACString& hostname, int16_t port);
 
   void clearStoredData();
   void loadVersionFallbackLimit();
   void setInsecureFallbackSites(const nsCString& str);
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@@ -7526,23 +7526,16 @@
   },
   "SSL_VERSION_FALLBACK_INAPPROPRIATE": {
     "alert_emails": ["seceng-telemetry@mozilla.com"],
     "expires_in_version": "never",
     "kind": "enumerated",
     "n_values": 64,
     "description": "TLS/SSL version intolerance was falsely detected, server rejected handshake (see tlsIntoleranceTelemetryBucket() in nsNSSIOLayer.cpp)."
   },
-  "SSL_FALLBACK_LIMIT_REACHED": {
-    "alert_emails": ["seceng-telemetry@mozilla.com"],
-    "expires_in_version": "default",
-    "kind": "enumerated",
-    "n_values": 16,
-    "description": "TLS/SSL version fallback reached the minimum version (1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2) or the fallback limit (4=TLS 1.0, 8=TLS 1.1, 12=TLS 1.2), stopped the fallback"
-  },
   "SSL_CIPHER_SUITE_FULL": {
     "alert_emails": ["seceng-telemetry@mozilla.com"],
     "expires_in_version": "never",
     "kind": "enumerated",
     "n_values": 128,
     "description": "Negotiated cipher suite in full handshake (see key in HandshakeCallback in nsNSSCallbacks.cpp)"
   },
   "SSL_CIPHER_SUITE_RESUMED": {
--- a/toolkit/components/telemetry/histogram-whitelists.json
+++ b/toolkit/components/telemetry/histogram-whitelists.json
@@ -867,17 +867,16 @@
     "SPDY_VERSION2",
     "SSL_AUTH_ALGORITHM_FULL",
     "SSL_AUTH_ECDSA_CURVE_FULL",
     "SSL_AUTH_RSA_KEY_SIZE_FULL",
     "SSL_BYTES_BEFORE_CERT_CALLBACK",
     "SSL_CERT_ERROR_OVERRIDES",
     "SSL_CIPHER_SUITE_FULL",
     "SSL_CIPHER_SUITE_RESUMED",
-    "SSL_FALLBACK_LIMIT_REACHED",
     "SSL_HANDSHAKE_TYPE",
     "SSL_HANDSHAKE_VERSION",
     "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX",
     "SSL_KEA_DHE_KEY_SIZE_FULL",
     "SSL_KEA_ECDHE_CURVE_FULL",
     "SSL_KEA_RSA_KEY_SIZE_FULL",
     "SSL_KEY_EXCHANGE_ALGORITHM_FULL",
     "SSL_KEY_EXCHANGE_ALGORITHM_RESUMED",
@@ -2049,17 +2048,16 @@
     "SSL_AUTH_ALGORITHM_FULL",
     "SSL_AUTH_ECDSA_CURVE_FULL",
     "SSL_AUTH_RSA_KEY_SIZE_FULL",
     "SSL_BYTES_BEFORE_CERT_CALLBACK",
     "SSL_CERT_ERROR_OVERRIDES",
     "SSL_CERT_VERIFICATION_ERRORS",
     "SSL_CIPHER_SUITE_FULL",
     "SSL_CIPHER_SUITE_RESUMED",
-    "SSL_FALLBACK_LIMIT_REACHED",
     "SSL_HANDSHAKE_TYPE",
     "SSL_HANDSHAKE_VERSION",
     "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX",
     "SSL_KEA_DHE_KEY_SIZE_FULL",
     "SSL_KEA_ECDHE_CURVE_FULL",
     "SSL_KEA_RSA_KEY_SIZE_FULL",
     "SSL_KEY_EXCHANGE_ALGORITHM_FULL",
     "SSL_KEY_EXCHANGE_ALGORITHM_RESUMED",