bug 1320510 - clamp the default enabled TLS version range to what NSS supports r=keeler
authorEKR <ekr@rtfm.com>
Mon, 28 Nov 2016 13:15:34 -0800
changeset 324477 d8a41d4c6215cb13f2a62675486f97c140d96deb
parent 324476 564fbfb9ca4599d4c767af2c1a1428c71678e2ce
child 324478 03549e92001dda90199b2cbab7f1985b61e8fa07
push id24
push usermaklebus@msu.edu
push dateTue, 20 Dec 2016 03:11:33 +0000
reviewerskeeler
bugs1320510
milestone53.0a1
bug 1320510 - clamp the default enabled TLS version range to what NSS supports r=keeler In particular, this fixes the case where Firefox is compiled with TLS 1.3 enabled by default with the option --with-system-nss against NSS 3.28, which has TLS 1.3 compile-time disabled by default.
security/manager/ssl/nsNSSComponent.cpp
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -1406,16 +1406,21 @@ nsNSSComponent::FillTLSVersionRange(SSLV
   rangeOut = defaults;
   // determine what versions are supported
   SSLVersionRange supported;
   if (SSL_VersionRangeGetSupported(ssl_variant_stream, &supported)
         != SECSuccess) {
     return;
   }
 
+  // Clip the defaults by what NSS actually supports to enable
+  // working with a system NSS with different ranges.
+  rangeOut.min = std::max(rangeOut.min, supported.min);
+  rangeOut.max = std::min(rangeOut.max, supported.max);
+
   // convert min/maxFromPrefs to the internal representation
   minFromPrefs += SSL_LIBRARY_VERSION_3_0;
   maxFromPrefs += SSL_LIBRARY_VERSION_3_0;
   // if min/maxFromPrefs are invalid, use defaults
   if (minFromPrefs > maxFromPrefs ||
       minFromPrefs < supported.min || maxFromPrefs > supported.max ||
       minFromPrefs < SSL_LIBRARY_VERSION_TLS_1_0) {
     return;