Bug 1072382 - Remove version intolerance marker on inappropriate_fallback alert, r=keeler
authorMartin Thomson <martin.thomson@gmail.com>
Thu, 02 Oct 2014 10:03:30 -0700
changeset 231698 4c05532b63420ee67a57904ee4427bdc96a68a39
parent 231697 74871c4df0a7fba0b772de9a22dd63890add7a67
child 231699 b212e3c4cbf54ee0b4d1648d0f676ecee639c87b
push id4187
push userbhearsum@mozilla.com
push dateFri, 28 Nov 2014 15:29:12 +0000
treeherdermozilla-beta@f23cc6a30c11 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1072382
milestone35.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1072382 - Remove version intolerance marker on inappropriate_fallback alert, r=keeler
security/manager/ssl/src/nsNSSIOLayer.cpp
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@@ -1025,16 +1025,27 @@ retryDueToTLSIntolerance(PRErrorCode err
   // This function is supposed to decide which error codes should
   // be used to conclude server is TLS intolerant.
   // Note this only happens during the initial SSL handshake.
 
   SSLVersionRange range = socketInfo->GetTLSVersionRange();
 
   uint32_t reason;
   switch (err) {
+    case SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT:
+      // This is a clear signal that we've fallen back too many versions.  Treat
+      // this as a hard failure now, but also mark the next higher version as
+      // being tolerant so that later attempts don't use this version (i.e.,
+      // range.max), which makes the error unrecoverable without a full restart.
+      socketInfo->SharedState().IOLayerHelpers()
+        .rememberTolerantAtVersion(socketInfo->GetHostName(),
+                                   socketInfo->GetPort(),
+                                   range.max + 1);
+      return false;
+
     case SSL_ERROR_BAD_MAC_ALERT: reason = 1; break;
     case SSL_ERROR_BAD_MAC_READ: reason = 2; break;
     case SSL_ERROR_HANDSHAKE_FAILURE_ALERT: reason = 3; break;
     case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT: reason = 4; break;
     case SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE: reason = 5; break;
     case SSL_ERROR_ILLEGAL_PARAMETER_ALERT: reason = 6; break;
     case SSL_ERROR_NO_CYPHER_OVERLAP: reason = 7; break;
     case SSL_ERROR_BAD_SERVER: reason = 8; break;