Bug 1320510 - clamp the default enabled TLS version range to what NSS supports r=keeler a=jcristau
authorEKR <ekr@rtfm.com>
Mon, 28 Nov 2016 13:15:34 -0800
changeset 352755 504fe62668365dd7697f598d2de49ce1fb7632c8
parent 352754 86eaf21cfe06c9d3160851d7bb8b94c822e9a05d
child 352756 0277a89270ffd4de69f2b62d4a4fda1ef9db86a8
push id6795
push userjlund@mozilla.com
push dateMon, 23 Jan 2017 14:19:46 +0000
treeherdermozilla-esr52@76101b503191 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler, jcristau
bugs1320510
milestone52.0a2
Bug 1320510 - clamp the default enabled TLS version range to what NSS supports r=keeler a=jcristau In particular, this fixes the case where Firefox is compiled with TLS 1.3 enabled by default with the option --with-system-nss against NSS 3.28, which has TLS 1.3 compile-time disabled by default.
security/manager/ssl/nsNSSComponent.cpp
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -1406,16 +1406,21 @@ nsNSSComponent::FillTLSVersionRange(SSLV
   rangeOut = defaults;
   // determine what versions are supported
   SSLVersionRange supported;
   if (SSL_VersionRangeGetSupported(ssl_variant_stream, &supported)
         != SECSuccess) {
     return;
   }
 
+  // Clip the defaults by what NSS actually supports to enable
+  // working with a system NSS with different ranges.
+  rangeOut.min = std::max(rangeOut.min, supported.min);
+  rangeOut.max = std::min(rangeOut.max, supported.max);
+
   // convert min/maxFromPrefs to the internal representation
   minFromPrefs += SSL_LIBRARY_VERSION_3_0;
   maxFromPrefs += SSL_LIBRARY_VERSION_3_0;
   // if min/maxFromPrefs are invalid, use defaults
   if (minFromPrefs > maxFromPrefs ||
       minFromPrefs < supported.min || maxFromPrefs > supported.max ||
       minFromPrefs < SSL_LIBRARY_VERSION_TLS_1_0) {
     return;