Bug 1197644 - Remove the security.ssl.warn_missing_rfc5746 pref. r=keeler
authorCykesiopka <cykesiopka.bmo@gmail.com>
Mon, 24 Aug 2015 22:53:42 -0700
changeset 291992 cbf83a6ab5e6c89f29f5a29b473fbac4c3f50124
parent 291991 ba8758c89322f23eb570432cfd72a9ae535e330b
child 291993 60707ba97960d5d92bb861636ee06ef4c06173b6
child 292050 90fc782afd1e4165a5862d082d81b85ce48d1209
push idunknown
push userunknown
push dateunknown
reviewerskeeler
bugs1197644
milestone43.0a1
Bug 1197644 - Remove the security.ssl.warn_missing_rfc5746 pref. r=keeler
netwerk/base/security-prefs.js
security/manager/ssl/nsNSSCallbacks.cpp
security/manager/ssl/nsNSSIOLayer.cpp
security/manager/ssl/nsNSSIOLayer.h
--- a/netwerk/base/security-prefs.js
+++ b/netwerk/base/security-prefs.js
@@ -11,17 +11,16 @@ pref("security.tls.insecure_fallback_hos
 #ifdef RELEASE_BUILD
 pref("security.tls.unrestricted_rc4_fallback", true);
 #else
 pref("security.tls.unrestricted_rc4_fallback", false);
 #endif
 
 pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
 pref("security.ssl.require_safe_negotiation",  false);
-pref("security.ssl.warn_missing_rfc5746",  1);
 pref("security.ssl.enable_ocsp_stapling", true);
 pref("security.ssl.enable_false_start", true);
 pref("security.ssl.false_start.require-npn", false);
 pref("security.ssl.enable_npn", true);
 pref("security.ssl.enable_alpn", true);
 
 pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true);
 pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true);
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -1241,18 +1241,17 @@ void HandshakeCallback(PRFileDesc* fd, v
   }
   infoObject->SetSecurityState(state);
 
   // XXX Bug 883674: We shouldn't be formatting messages here in PSM; instead,
   // we should set a flag on the channel that higher (UI) level code can check
   // to log the warning. In particular, these warnings should go to the web
   // console instead of to the error console. Also, the warning is not
   // localized.
-  if (!siteSupportsSafeRenego &&
-      ioLayerHelpers.getWarnLevelMissingRFC5746() > 0) {
+  if (!siteSupportsSafeRenego) {
     nsXPIDLCString hostName;
     infoObject->GetHostName(getter_Copies(hostName));
 
     nsAutoString msg;
     msg.Append(NS_ConvertASCIItoUTF16(hostName));
     msg.AppendLiteral(" : server does not support RFC 5746, see CVE-2009-3555");
 
     nsContentUtils::LogSimpleConsoleError(msg, "SSL");
--- a/security/manager/ssl/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/nsNSSIOLayer.cpp
@@ -1314,17 +1314,16 @@ nsSSLIOLayerPoll(PRFileDesc* fd, int16_t
   int16_t result = fd->lower->methods->poll(fd->lower, in_flags, out_flags);
   MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("[%p] poll SSL socket returned %d\n",
                                     (void*) fd, (int) result));
   return result;
 }
 
 nsSSLIOLayerHelpers::nsSSLIOLayerHelpers()
   : mTreatUnsafeNegotiationAsBroken(false)
-  , mWarnLevelMissingRFC5746(1)
   , mTLSIntoleranceInfo()
   , mFalseStartRequireNPN(false)
   , mUseStaticFallbackList(true)
   , mUnrestrictedRC4Fallback(false)
   , mVersionFallbackLimit(SSL_LIBRARY_VERSION_TLS_1_0)
   , mutex("nsSSLIOLayerHelpers.mutex")
 {
 }
@@ -1528,20 +1527,16 @@ PrefObserver::Observe(nsISupports* aSubj
 {
   if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) {
     NS_ConvertUTF16toUTF8 prefName(someData);
 
     if (prefName.EqualsLiteral("security.ssl.treat_unsafe_negotiation_as_broken")) {
       bool enabled;
       Preferences::GetBool("security.ssl.treat_unsafe_negotiation_as_broken", &enabled);
       mOwner->setTreatUnsafeNegotiationAsBroken(enabled);
-    } else if (prefName.EqualsLiteral("security.ssl.warn_missing_rfc5746")) {
-      int32_t warnLevel = 1;
-      Preferences::GetInt("security.ssl.warn_missing_rfc5746", &warnLevel);
-      mOwner->setWarnLevelMissingRFC5746(warnLevel);
     } else if (prefName.EqualsLiteral("security.ssl.false_start.require-npn")) {
       mOwner->mFalseStartRequireNPN =
         Preferences::GetBool("security.ssl.false_start.require-npn",
                              FALSE_START_REQUIRE_NPN_DEFAULT);
     } else if (prefName.EqualsLiteral("security.tls.version.fallback-limit")) {
       mOwner->loadVersionFallbackLimit();
     } else if (prefName.EqualsLiteral("security.tls.insecure_fallback_hosts")) {
       nsCString insecureFallbackHosts;
@@ -1579,18 +1574,16 @@ PlaintextRecv(PRFileDesc* fd, void* buf,
 nsSSLIOLayerHelpers::~nsSSLIOLayerHelpers()
 {
   // mPrefObserver will only be set if this->Init was called. The GTest tests
   // do not call Init.
   if (mPrefObserver) {
     Preferences::RemoveObserver(mPrefObserver,
         "security.ssl.treat_unsafe_negotiation_as_broken");
     Preferences::RemoveObserver(mPrefObserver,
-        "security.ssl.warn_missing_rfc5746");
-    Preferences::RemoveObserver(mPrefObserver,
         "security.ssl.false_start.require-npn");
     Preferences::RemoveObserver(mPrefObserver,
         "security.tls.version.fallback-limit");
     Preferences::RemoveObserver(mPrefObserver,
         "security.tls.insecure_fallback_hosts");
     Preferences::RemoveObserver(mPrefObserver,
         "security.tls.unrestricted_rc4_fallback");
   }
@@ -1640,38 +1633,32 @@ nsSSLIOLayerHelpers::Init()
     nsSSLPlaintextLayerMethods  = *PR_GetDefaultIOMethods();
     nsSSLPlaintextLayerMethods.recv = PlaintextRecv;
   }
 
   bool enabled = false;
   Preferences::GetBool("security.ssl.treat_unsafe_negotiation_as_broken", &enabled);
   setTreatUnsafeNegotiationAsBroken(enabled);
 
-  int32_t warnLevel = 1;
-  Preferences::GetInt("security.ssl.warn_missing_rfc5746", &warnLevel);
-  setWarnLevelMissingRFC5746(warnLevel);
-
   mFalseStartRequireNPN =
     Preferences::GetBool("security.ssl.false_start.require-npn",
                          FALSE_START_REQUIRE_NPN_DEFAULT);
   loadVersionFallbackLimit();
   nsCString insecureFallbackHosts;
   Preferences::GetCString("security.tls.insecure_fallback_hosts", &insecureFallbackHosts);
   setInsecureFallbackSites(insecureFallbackHosts);
   mUseStaticFallbackList =
     Preferences::GetBool("security.tls.insecure_fallback_hosts.use_static_list", true);
   mUnrestrictedRC4Fallback =
     Preferences::GetBool("security.tls.unrestricted_rc4_fallback", false);
 
   mPrefObserver = new PrefObserver(this);
   Preferences::AddStrongObserver(mPrefObserver,
                                  "security.ssl.treat_unsafe_negotiation_as_broken");
   Preferences::AddStrongObserver(mPrefObserver,
-                                 "security.ssl.warn_missing_rfc5746");
-  Preferences::AddStrongObserver(mPrefObserver,
                                  "security.ssl.false_start.require-npn");
   Preferences::AddStrongObserver(mPrefObserver,
                                  "security.tls.version.fallback-limit");
   Preferences::AddStrongObserver(mPrefObserver,
                                  "security.tls.insecure_fallback_hosts");
   Preferences::AddStrongObserver(mPrefObserver,
                                  "security.tls.unrestricted_rc4_fallback");
   return NS_OK;
@@ -1774,30 +1761,16 @@ nsSSLIOLayerHelpers::setTreatUnsafeNegot
 
 bool
 nsSSLIOLayerHelpers::treatUnsafeNegotiationAsBroken()
 {
   MutexAutoLock lock(mutex);
   return mTreatUnsafeNegotiationAsBroken;
 }
 
-void
-nsSSLIOLayerHelpers::setWarnLevelMissingRFC5746(int32_t level)
-{
-  MutexAutoLock lock(mutex);
-  mWarnLevelMissingRFC5746 = level;
-}
-
-int32_t
-nsSSLIOLayerHelpers::getWarnLevelMissingRFC5746()
-{
-  MutexAutoLock lock(mutex);
-  return mWarnLevelMissingRFC5746;
-}
-
 nsresult
 nsSSLIOLayerNewSocket(int32_t family,
                       const char* host,
                       int32_t port,
                       const char* proxyHost,
                       int32_t proxyPort,
                       PRFileDesc** fd,
                       nsISupports** info,
--- a/security/manager/ssl/nsNSSIOLayer.h
+++ b/security/manager/ssl/nsNSSIOLayer.h
@@ -179,22 +179,19 @@ public:
 
   static bool nsSSLIOLayerInitialized;
   static PRDescIdentity nsSSLIOLayerIdentity;
   static PRDescIdentity nsSSLPlaintextLayerIdentity;
   static PRIOMethods nsSSLIOLayerMethods;
   static PRIOMethods nsSSLPlaintextLayerMethods;
 
   bool mTreatUnsafeNegotiationAsBroken;
-  int32_t mWarnLevelMissingRFC5746;
 
   void setTreatUnsafeNegotiationAsBroken(bool broken);
   bool treatUnsafeNegotiationAsBroken();
-  void setWarnLevelMissingRFC5746(int32_t level);
-  int32_t getWarnLevelMissingRFC5746();
 
 private:
   struct IntoleranceEntry
   {
     uint16_t tolerant;
     uint16_t intolerant;
     PRErrorCode intoleranceReason;
     StrongCipherStatus strongCipherStatus;