Bug 1550874 - Don't call SSL_SetResumptionToken if SSL_NO_CACHE option was set on the socket, r=valentin
authorMichal Novotny <michal.novotny@gmail.com>
Mon, 13 May 2019 15:14:46 +0000
changeset 535499 705cbeee6d09d365ed81c72e56e4c1a772477de1
parent 535498 37b9048629cfd3197b289f9c5d396116b6a0eb1f
child 535500 b97ebad615623b6e86f741c9ca2556ccbede0c12
push id2082
push userffxbld-merge
push dateMon, 01 Jul 2019 08:34:18 +0000
treeherdermozilla-release@2fb19d0466d2 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersvalentin
bugs1550874
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1550874 - Don't call SSL_SetResumptionToken if SSL_NO_CACHE option was set on the socket, r=valentin We shouldn't search the cache and try to set TLS resumption token in nsSocketTransport::InitiateSocket() if the socket has SSL_NO_CACHE flag set, because NSS code might not honor the flag when the token is provided via API for external TLS session caches. Differential Revision: https://phabricator.services.mozilla.com/D30726
netwerk/base/nsSocketTransport2.cpp
--- a/netwerk/base/nsSocketTransport2.cpp
+++ b/netwerk/base/nsSocketTransport2.cpp
@@ -1545,25 +1545,29 @@ nsresult nsSocketTransport::InitiateSock
       SOCKET_LOG(
           ("nsSocketTransport::InitiateSocket TCP Fast Open "
            "started [this=%p]\n",
            this));
     }
   }
 
   if (usingSSL && SSLTokensCache::IsEnabled()) {
-    nsTArray<uint8_t> token;
-    nsresult rv2 = SSLTokensCache::Get(mHost, token);
-    if (NS_SUCCEEDED(rv2) && token.Length() != 0) {
-      SECStatus srv =
-          SSL_SetResumptionToken(fd, token.Elements(), token.Length());
-      if (srv == SECFailure) {
-        SOCKET_LOG(("Setting token failed with NSS error %d [host=%s]",
-                    PORT_GetError(), PromiseFlatCString(mHost).get()));
-        SSLTokensCache::Remove(mHost);
+    PRIntn val;
+    // If SSL_NO_CACHE option was set, we must not use the cache
+    if (SSL_OptionGet(fd, SSL_NO_CACHE, &val) == SECSuccess && val == 0) {
+      nsTArray<uint8_t> token;
+      nsresult rv2 = SSLTokensCache::Get(mHost, token);
+      if (NS_SUCCEEDED(rv2) && token.Length() != 0) {
+        SECStatus srv =
+            SSL_SetResumptionToken(fd, token.Elements(), token.Length());
+        if (srv == SECFailure) {
+          SOCKET_LOG(("Setting token failed with NSS error %d [host=%s]",
+                      PORT_GetError(), PromiseFlatCString(mHost).get()));
+          SSLTokensCache::Remove(mHost);
+        }
       }
     }
 
     SSL_SetResumptionTokenCallback(fd, &StoreResumptionToken, this);
     mSSLCallbackSet = true;
   }
 
   bool connectCalled = true;  // This is only needed for telemetry.