Bug 969479 - Only prevent TLS fallback for STARTTLS. r=briansmith, a=lsblakk
authorDavid Keeler <dkeeler@mozilla.com>
Thu, 20 Feb 2014 15:14:32 -0800
changeset 176372 dd02eeb751881281fc5354cbaff57c7cacc3eb01
parent 176371 39ff71c70bf8cdfcc2fb9fa7aa33ac0f243a39b7
child 176373 e15b41883a5bc8fa86f51905dcfd1ba379654e86
push id445
push userffxbld
push dateMon, 10 Mar 2014 22:05:19 +0000
treeherdermozilla-release@dc38b741b04e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbriansmith, lsblakk
bugs969479
milestone28.0
Bug 969479 - Only prevent TLS fallback for STARTTLS. r=briansmith, a=lsblakk
security/manager/ssl/src/nsNSSIOLayer.cpp
security/manager/ssl/src/nsNSSIOLayer.h
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@@ -115,17 +115,16 @@ extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 
 nsNSSSocketInfo::nsNSSSocketInfo(SharedSSLState& aState, uint32_t providerFlags)
   : mFd(nullptr),
     mCertVerificationState(before_cert_verification),
     mSharedState(aState),
     mForSTARTTLS(false),
     mHandshakePending(true),
-    mHasCleartextPhase(false),
     mRememberClientAuthCertificate(false),
     mPreliminaryHandshakeDone(false),
     mNPNCompleted(false),
     mFalseStartCallbackCalled(false),
     mFalseStarted(false),
     mIsFullHandshake(false),
     mHandshakeCompleted(false),
     mJoined(false),
@@ -181,26 +180,16 @@ NS_IMETHODIMP nsNSSSocketInfo::GetRememb
 }
 
 NS_IMETHODIMP nsNSSSocketInfo::SetRememberClientAuthCertificate(bool aRememberClientAuthCertificate)
 {
   mRememberClientAuthCertificate = aRememberClientAuthCertificate;
   return NS_OK;
 }
 
-void nsNSSSocketInfo::SetHasCleartextPhase(bool aHasCleartextPhase)
-{
-  mHasCleartextPhase = aHasCleartextPhase;
-}
-
-bool nsNSSSocketInfo::GetHasCleartextPhase()
-{
-  return mHasCleartextPhase;
-}
-
 NS_IMETHODIMP
 nsNSSSocketInfo::GetNotificationCallbacks(nsIInterfaceRequestor** aCallbacks)
 {
   *aCallbacks = mCallbacks;
   NS_IF_ADDREF(*aCallbacks);
   return NS_OK;
 }
 
@@ -388,28 +377,26 @@ nsNSSSocketInfo::JoinConnection(const ns
     return NS_OK;
 
   // All tests pass - this is joinable
   mJoined = true;
   *_retval = true;
   return NS_OK;
 }
 
-nsresult
-nsNSSSocketInfo::GetForSTARTTLS(bool* aForSTARTTLS)
+bool
+nsNSSSocketInfo::GetForSTARTTLS()
 {
-  *aForSTARTTLS = mForSTARTTLS;
-  return NS_OK;
+  return mForSTARTTLS;
 }
 
-nsresult
+void
 nsNSSSocketInfo::SetForSTARTTLS(bool aForSTARTTLS)
 {
   mForSTARTTLS = aForSTARTTLS;
-  return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSSocketInfo::ProxyStartSSL()
 {
   return ActivateSSL();
 }
 
@@ -978,17 +965,17 @@ retryDueToTLSIntolerance(PRErrorCode err
       // resets, because connection resets have too many false positives,
       // and we want to maximize how often we send TLS 1.0+ with extensions
       // if at all reasonable. Unfortunately, it appears we have to allow
       // fallback from TLS 1.2 and TLS 1.1 for connection resets due to bad
       // servers and possibly bad intermediaries.
     conditional:
       if ((err == PR_CONNECT_RESET_ERROR &&
            range.max <= SSL_LIBRARY_VERSION_TLS_1_0) ||
-          socketInfo->GetHasCleartextPhase()) {
+          socketInfo->GetForSTARTTLS()) {
         return false;
       }
       break;
 
     default:
       return false;
   }
 
@@ -2606,17 +2593,16 @@ nsSSLIOLayerSetOptions(PRFileDesc *fd, b
                        const char *proxyHost, const char *host, int32_t port,
                        nsNSSSocketInfo *infoObject)
 {
   nsNSSShutDownPreventionLock locker;
   if (forSTARTTLS || proxyHost) {
     if (SECSuccess != SSL_OptionSet(fd, SSL_SECURITY, false)) {
       return NS_ERROR_FAILURE;
     }
-    infoObject->SetHasCleartextPhase(true);
   }
 
   // Let's see if we're trying to connect to a site we know is
   // TLS intolerant.
   nsAutoCString key;
   key = nsDependentCString(host) + NS_LITERAL_CSTRING(":") + nsPrintfCString("%d", port);
 
   SSLVersionRange range;
--- a/security/manager/ssl/src/nsNSSIOLayer.h
+++ b/security/manager/ssl/src/nsNSSIOLayer.h
@@ -30,30 +30,27 @@ class nsNSSSocketInfo : public mozilla::
 {
 public:
   nsNSSSocketInfo(mozilla::psm::SharedSSLState& aState, uint32_t providerFlags);
   
   NS_DECL_ISUPPORTS_INHERITED
   NS_DECL_NSISSLSOCKETCONTROL
   NS_DECL_NSICLIENTAUTHUSERDECISION
  
-  nsresult SetForSTARTTLS(bool aForSTARTTLS);
-  nsresult GetForSTARTTLS(bool *aForSTARTTLS);
+  void SetForSTARTTLS(bool aForSTARTTLS);
+  bool GetForSTARTTLS();
 
   nsresult GetFileDescPtr(PRFileDesc** aFilePtr);
   nsresult SetFileDescPtr(PRFileDesc* aFilePtr);
 
   bool IsHandshakePending() const { return mHandshakePending; }
   void SetHandshakeNotPending() { mHandshakePending = false; }
 
   void GetPreviousCert(nsIX509Cert** _result);
   
-  void SetHasCleartextPhase(bool aHasCleartextPhase);
-  bool GetHasCleartextPhase();
-  
   void SetTLSVersionRange(SSLVersionRange range) { mTLSVersionRange = range; }
   SSLVersionRange GetTLSVersionRange() const { return mTLSVersionRange; };
 
   PRStatus CloseSocketAndDestroy(
                 const nsNSSShutDownPreventionLock & proofOfLock);
   
   void SetNegotiatedNPN(const char *value, uint32_t length);
 
@@ -111,17 +108,16 @@ private:
   PRFileDesc* mFd;
 
   CertVerificationState mCertVerificationState;
 
   mozilla::psm::SharedSSLState& mSharedState;
   bool mForSTARTTLS;
   SSLVersionRange mTLSVersionRange;
   bool mHandshakePending;
-  bool mHasCleartextPhase;
   bool mRememberClientAuthCertificate;
   bool mPreliminaryHandshakeDone; // after false start items are complete
 
   nsresult ActivateSSL();
 
   nsCString mNegotiatedNPN;
   bool      mNPNCompleted;
   bool      mFalseStartCallbackCalled;