Bug 1128763 - Do insecure fallback after PR_CONNECT_RESET_ERROR for whitelisted sites only. r=keeler

security/manager/ssl/src/nsNSSIOLayer.cpp

@@ -1224,6 +1224,14 @@ retryDueToTLSIntolerance(PRErrorCode err, nsNSSSocketInfo* socketInfo)
 
     return false;
   }
+
+  // Allow PR_CONNECT_RESET_ERROR only for whitelisted sites.
+  if (err == PR_CONNECT_RESET_ERROR &&
+      !socketInfo->SharedState().IOLayerHelpers()
+        .isInsecureFallbackSite(socketInfo->GetHostName())) {
+    return false;
+  }
+
   if ((err == SSL_ERROR_NO_CYPHER_OVERLAP || err == PR_END_OF_FILE_ERROR ||
        err == PR_CONNECT_RESET_ERROR) &&
       nsNSSComponent::AreAnyWeakCiphersEnabled()) {
@@ -1835,6 +1843,13 @@ nsSSLIOLayerHelpers::setInsecureFallbackSites(const nsCString& str)
   }
 }
 
+bool
+nsSSLIOLayerHelpers::isInsecureFallbackSite(const nsACString& hostname)
+{
+  MutexAutoLock lock(mutex);
+  return mInsecureFallbackSites.Contains(hostname);
+}
+
 void
 nsSSLIOLayerHelpers::setTreatUnsafeNegotiationAsBroken(bool broken)
 {

security/manager/ssl/src/nsNSSIOLayer.h

@@ -232,6 +232,7 @@ public:
   void clearStoredData();
   void loadVersionFallbackLimit();
   void setInsecureFallbackSites(const nsCString& str);
+  bool isInsecureFallbackSite(const nsACString& hostname);
 
   bool mFalseStartRequireNPN;
   bool mFalseStartRequireForwardSecrecy;