Bug 1745678 - Remove TLS 1.0/1.1 override UX, r=Gijs,mkaply,fluent-reviewers

I've erred on the side of removing code here. I think that I got most of it, but there was quite a bit of accrued code. Thanks to Gijs for fluent fixups (and code cleanup). This retains some notice of the failed version. Bug 1586846, Bug 1579285, Bug 1586846, and Bug 1617275 all added code here. Differential Revision: https://phabricator.services.mozilla.com/D133591
2021-12-28 23:39:43 +00:00 · 2021-12-28 23:39:43 +00:00 · 222f4654e3
--- a/browser/actors/NetErrorChild.jsm
+++ b/browser/actors/NetErrorChild.jsm
@ -29,7 +29,6 @@ class NetErrorChild extends RemotePageChild {
    const exportableFunctions = [
      "RPMGetAppBuildID",
      "RPMGetInnerMostURI",
-      "RPMPrefIsLocked",
      "RPMAddToHistogram",
      "RPMRecordTelemetryEvent",
      "RPMGetHttpResponseHeader",
@ -84,10 +83,6 @@ class NetErrorChild extends RemotePageChild {
    return Services.appinfo.appBuildID;
  }

-  RPMPrefIsLocked(aPref) {
-    return Services.prefs.prefIsLocked(aPref);
-  }
-
  RPMAddToHistogram(histID, bin) {
    Services.telemetry.getHistogramById(histID).add(bin);
  }
--- a/browser/base/content/certerror/aboutNetError.js
+++ b/browser/base/content/certerror/aboutNetError.js
@ -126,18 +126,6 @@ function showPrefChangeContainer() {
  setFocus("#prefResetButton", "beforeend");
 }

-function showTls10Container() {
-  const panel = document.getElementById("enableTls10Container");
-  panel.style.display = "block";
-  document.getElementById("netErrorButtonContainer").style.display = "none";
-  const button = document.getElementById("enableTls10Button");
-  button.addEventListener("click", function enableTls10(e) {
-    RPMSetBoolPref("security.tls.version.enable-deprecated", true);
-    retryThis(button);
-  });
-  setFocus("#enableTls10Button", "beforeend");
-}
-
 function toggleCertErrorDebugInfoVisibility(shouldShow) {
  let debugInfo = document.getElementById("certificateErrorDebugInformation");
  let copyButton = document.getElementById("copyToClipboardTop");
@ -375,51 +363,33 @@ function initPage() {
    document.getElementById("learnMoreContainer").style.display = "block";

    const errorCode = document.getNetErrorInfo().errorCodeString;
-    const isTlsVersionError =
-      errorCode == "SSL_ERROR_UNSUPPORTED_VERSION" ||
-      errorCode == "SSL_ERROR_PROTOCOL_VERSION_ALERT";
-    const tls10OverrideEnabled = RPMGetBoolPref(
-      "security.tls.version.enable-deprecated"
-    );

    if (
-      isTlsVersionError &&
-      !tls10OverrideEnabled &&
-      !RPMPrefIsLocked("security.tls.version.min")
+      errorCode == "SSL_ERROR_UNSUPPORTED_VERSION" ||
+      errorCode == "SSL_ERROR_PROTOCOL_VERSION_ALERT"
    ) {
-      // security.tls.* prefs may be reset by the user when they
-      // encounter an error, so it's important that this has a
-      // different pref branch.
-      const showOverride = RPMGetBoolPref(
-        "security.certerrors.tls.version.show-override",
-        true
-      );
+      document.getElementById("tlsVersionNotice").hidden = false;
+    }

-      // This is probably a TLS 1.0 server; offer to re-enable.
-      if (showOverride) {
-        showTls10Container();
-      }
-    } else {
-      const hasPrefStyleError = [
-        "interrupted", // This happens with subresources that are above the max tls
-        "SSL_ERROR_NO_CIPHERS_SUPPORTED",
-        "SSL_ERROR_NO_CYPHER_OVERLAP",
-        "SSL_ERROR_PROTOCOL_VERSION_ALERT",
-        "SSL_ERROR_SSL_DISABLED",
-        "SSL_ERROR_UNSUPPORTED_VERSION",
-      ].some(substring => {
-        return substring == errorCode;
+    const hasPrefStyleError = [
+      "interrupted", // This happens with subresources that are above the max tls
+      "SSL_ERROR_NO_CIPHERS_SUPPORTED",
+      "SSL_ERROR_NO_CYPHER_OVERLAP",
+      "SSL_ERROR_PROTOCOL_VERSION_ALERT",
+      "SSL_ERROR_SSL_DISABLED",
+      "SSL_ERROR_UNSUPPORTED_VERSION",
+    ].some(substring => {
+      return substring == errorCode;
+    });
+
+    if (hasPrefStyleError) {
+      RPMAddMessageListener("HasChangedCertPrefs", msg => {
+        if (msg.data.hasChangedCertPrefs) {
+          // Configuration overrides might have caused this; offer to reset.
+          showPrefChangeContainer();
+        }
      });
-
-      if (hasPrefStyleError) {
-        RPMAddMessageListener("HasChangedCertPrefs", msg => {
-          if (msg.data.hasChangedCertPrefs) {
-            // Configuration overrides might have caused this; offer to reset.
-            showPrefChangeContainer();
-          }
-        });
-        RPMSendAsyncMessage("GetChangedCertPrefs");
-      }
+      RPMSendAsyncMessage("GetChangedCertPrefs");
    }
  }

--- a/browser/base/content/certerror/aboutNetError.xhtml
+++ b/browser/base/content/certerror/aboutNetError.xhtml
@ -141,6 +141,10 @@
          <!-- Long Description (Note: See netError.dtd for used XHTML tags) -->
          <div id="errorLongDesc" />

+          <div id="tlsVersionNotice" hidden="true">
+            <p data-l10n-id="cert-error-old-tls-version"></p>
+          </div>
+
          <div id="learnMoreContainer">
            <p><a id="learnMoreLink" target="_blank" rel="noopener noreferrer" data-telemetry-id="learn_more_link">&errorReporting.learnMore;</a></p>
          </div>
@ -151,14 +155,6 @@
          </div>
        </div>

-        <!-- UI to temporarily re-enable TLS 1.0 and 1.1.
-             This should be removed after March 2020, see bug 1579285.  -->
-        <div id="enableTls10Container" class="button-container">
-          <p>&enableTls10.longDesc;</p>
-          <p>&enableTls10.note;</p>
-          <button id="enableTls10Button" class="primary">&enableTls10.label;</button>
-        </div>
-
        <!-- UI for option to report certificate errors to Mozilla. Removed on
             init for other error types .-->
        <div id="prefChangeContainer" class="button-container">
--- a/browser/base/content/test/about/browser_aboutNetError.js
+++ b/browser/base/content/test/about/browser_aboutNetError.js
@ -9,37 +9,10 @@ const TLS12_PAGE = "https://tls12.example.com/";
 const TRIPLEDES_PAGE = "https://3des.example.com/";

 // This includes all the cipher suite prefs we have.
-const CIPHER_SUITE_PREFS = [
-  "security.ssl3.dhe_rsa_aes_128_sha",
-  "security.ssl3.dhe_rsa_aes_256_sha",
-  "security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256",
-  "security.ssl3.ecdhe_ecdsa_aes_128_sha",
-  "security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384",
-  "security.ssl3.ecdhe_ecdsa_aes_256_sha",
-  "security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256",
-  "security.ssl3.ecdhe_rsa_aes_128_gcm_sha256",
-  "security.ssl3.ecdhe_rsa_aes_128_sha",
-  "security.ssl3.ecdhe_rsa_aes_256_gcm_sha384",
-  "security.ssl3.ecdhe_rsa_aes_256_sha",
-  "security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256",
-  "security.ssl3.rsa_aes_128_sha",
-  "security.ssl3.rsa_aes_256_sha",
-  "security.ssl3.rsa_aes_128_gcm_sha256",
-  "security.ssl3.rsa_aes_256_gcm_sha384",
-  "security.ssl3.deprecated.rsa_des_ede3_sha",
-  "security.tls13.aes_128_gcm_sha256",
-  "security.tls13.aes_256_gcm_sha384",
-  "security.tls13.chacha20_poly1305_sha256",
-];
-
 function resetPrefs() {
  Services.prefs.clearUserPref("security.tls.version.min");
  Services.prefs.clearUserPref("security.tls.version.max");
  Services.prefs.clearUserPref("security.tls.version.enable-deprecated");
-  Services.prefs.clearUserPref("security.certerrors.tls.version.show-override");
-  CIPHER_SUITE_PREFS.forEach(suitePref => {
-    Services.prefs.clearUserPref(suitePref);
-  });
 }

 add_task(async function resetToDefaultConfig() {
@ -47,13 +20,6 @@ add_task(async function resetToDefaultConfig() {
    "Change TLS config to cause page load to fail, check that reset button is shown and that it works"
  );

-  // Just twiddling version will trigger the TLS 1.0 offer.  So to test the
-  // broader UX, disable all cipher suites to trigger SSL_ERROR_SSL_DISABLED.
-  // This can be removed when security.tls.version.enable-deprecated is.
-  CIPHER_SUITE_PREFS.forEach(suitePref => {
-    Services.prefs.setBoolPref(suitePref, false);
-  });
-
  // Set ourselves up for a TLS error.
  Services.prefs.setIntPref("security.tls.version.min", 1); // TLS 1.0
  Services.prefs.setIntPref("security.tls.version.max", 1);
@ -105,9 +71,6 @@ add_task(async function resetToDefaultConfig() {
  info("Waiting for the page to load after the click");
  await finalLoadComplete;

-  CIPHER_SUITE_PREFS.forEach(suitePref => {
-    Services.prefs.clearUserPref(suitePref);
-  });
  resetPrefs();
  BrowserTestUtils.removeTab(gBrowser.selectedTab);
 });
@ -143,6 +106,12 @@ add_task(async function checkLearnMoreLink() {
      "Should be showing error page"
    );

+    const tlsVersionNotice = doc.getElementById("tlsVersionNotice");
+    ok(
+      ContentTaskUtils.is_visible(tlsVersionNotice),
+      "TLS version notice is visible"
+    );
+
    const learnMoreLink = doc.getElementById("learnMoreLink");
    ok(
      ContentTaskUtils.is_visible(learnMoreLink),
@ -170,158 +139,6 @@ add_task(async function checkLearnMoreLink() {
  BrowserTestUtils.removeTab(gBrowser.selectedTab);
 });

-add_task(async function checkEnable10() {
-  info(
-    "Load a page with a deprecated TLS version, an option to enable TLS 1.0 is offered and it works"
-  );
-
-  Services.prefs.setIntPref("security.tls.version.min", 3);
-  // Disable TLS 1.3 so that we trigger a SSL_ERROR_UNSUPPORTED_VERSION.
-  // As NSS generates an alert rather than negotiating a lower version
-  // if we use the supported_versions extension from TLS 1.3.
-  Services.prefs.setIntPref("security.tls.version.max", 3);
-
-  let browser;
-  let pageLoaded;
-  await BrowserTestUtils.openNewForegroundTab(
-    gBrowser,
-    () => {
-      gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser, TLS10_PAGE);
-      browser = gBrowser.selectedBrowser;
-      pageLoaded = BrowserTestUtils.waitForErrorPage(browser);
-    },
-    false
-  );
-
-  info("Loading and waiting for the net error");
-  await pageLoaded;
-
-  // Setup an observer for the target page.
-  const finalLoadComplete = BrowserTestUtils.browserLoaded(
-    browser,
-    false,
-    TLS10_PAGE
-  );
-
-  await SpecialPowers.spawn(browser, [], async function() {
-    const doc = content.document;
-    ok(
-      doc.documentURI.startsWith("about:neterror"),
-      "Should be showing error page"
-    );
-
-    const enableTls10Button = doc.getElementById("enableTls10Button");
-    ok(
-      ContentTaskUtils.is_visible(enableTls10Button),
-      "Option to re-enable TLS 1.0 is visible"
-    );
-    enableTls10Button.click();
-
-    // It should not also offer to reset preferences instead.
-    const prefResetButton = doc.getElementById("prefResetButton");
-    ok(
-      !ContentTaskUtils.is_visible(prefResetButton),
-      "prefResetButton should NOT be visible"
-    );
-  });
-
-  info("Waiting for the TLS 1.0 page to load after the click");
-  await finalLoadComplete;
-
-  resetPrefs();
-  BrowserTestUtils.removeTab(gBrowser.selectedTab);
-});
-
-add_task(async function dontOffer10WhenAlreadyEnabled() {
-  info("An option to enable TLS 1.0 is not offered if already enabled");
-
-  Services.prefs.setIntPref("security.tls.version.min", 3);
-  Services.prefs.setIntPref("security.tls.version.max", 3);
-  Services.prefs.setBoolPref("security.tls.version.enable-deprecated", true);
-
-  let browser;
-  let pageLoaded;
-  await BrowserTestUtils.openNewForegroundTab(
-    gBrowser,
-    () => {
-      gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser, SSL3_PAGE);
-      browser = gBrowser.selectedBrowser;
-      pageLoaded = BrowserTestUtils.waitForErrorPage(browser);
-    },
-    false
-  );
-
-  info("Loading and waiting for the net error");
-  await pageLoaded;
-
-  await SpecialPowers.spawn(browser, [], async function() {
-    const doc = content.document;
-    ok(
-      doc.documentURI.startsWith("about:neterror"),
-      "Should be showing error page"
-    );
-
-    const enableTls10Button = doc.getElementById("enableTls10Button");
-    ok(
-      !ContentTaskUtils.is_visible(enableTls10Button),
-      "Option to re-enable TLS 1.0 is not visible"
-    );
-
-    // It should offer to reset preferences instead.
-    const prefResetButton = doc.getElementById("prefResetButton");
-    ok(
-      ContentTaskUtils.is_visible(prefResetButton),
-      "prefResetButton should be visible"
-    );
-  });
-
-  resetPrefs();
-  BrowserTestUtils.removeTab(gBrowser.selectedTab);
-});
-
-add_task(async function overrideUIPref() {
-  info("TLS 1.0 override option isn't shown when the pref is set to false");
-
-  Services.prefs.setIntPref("security.tls.version.min", 3);
-  Services.prefs.setIntPref("security.tls.version.max", 3);
-  Services.prefs.setBoolPref(
-    "security.certerrors.tls.version.show-override",
-    false
-  );
-
-  let browser;
-  let pageLoaded;
-  await BrowserTestUtils.openNewForegroundTab(
-    gBrowser,
-    () => {
-      gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser, TLS10_PAGE);
-      browser = gBrowser.selectedBrowser;
-      pageLoaded = BrowserTestUtils.waitForErrorPage(browser);
-    },
-    false
-  );
-
-  info("Loading and waiting for the net error");
-  await pageLoaded;
-
-  await ContentTask.spawn(browser, null, async function() {
-    const doc = content.document;
-    ok(
-      doc.documentURI.startsWith("about:neterror"),
-      "Should be showing error page"
-    );
-
-    const enableTls10Button = doc.getElementById("enableTls10Button");
-    ok(
-      !ContentTaskUtils.is_visible(enableTls10Button),
-      "Option to re-enable TLS 1.0 is not visible"
-    );
-  });
-
-  resetPrefs();
-  BrowserTestUtils.removeTab(gBrowser.selectedTab);
-});
-
 // Test that ciphersuites that use 3DES (namely, TLS_RSA_WITH_3DES_EDE_CBC_SHA)
 // can only be enabled when deprecated TLS is enabled.
 add_task(async function onlyAllow3DESWithDeprecatedTLS() {
--- a/browser/locales/en-US/browser/aboutCertError.ftl
+++ b/browser/locales/en-US/browser/aboutCertError.ftl
@ -70,6 +70,8 @@ cert-error-symantec-distrust-description = Websites prove their identity via cer

 cert-error-symantec-distrust-admin = You may notify the website’s administrator about this problem.

+cert-error-old-tls-version = This website might not support the TLS 1.2 protocol, which is the minimum version supported by { -brand-short-name }.
+
 # Variables:
 # $hasHSTS (Boolean) - Indicates whether HSTS header is present.
 cert-error-details-hsts-label = HTTP Strict Transport Security: { $hasHSTS }
--- a/browser/locales/en-US/chrome/overrides/netError.dtd
+++ b/browser/locales/en-US/chrome/overrides/netError.dtd
@ -199,8 +199,4 @@ was trying to connect. -->
 <!ENTITY prefReset.longDesc "It looks like your network security settings might be causing this. Do you want the default settings to be restored?">
 <!ENTITY prefReset.label "Restore default settings">

-<!ENTITY enableTls10.longDesc "This website might not support the TLS 1.2 protocol, which is the minimum version supported by &brandShortName;. Enabling TLS 1.0 and TLS 1.1 might allow this connection to succeed.">
-<!ENTITY enableTls10.note "TLS 1.0 and TLS 1.1 will be permanently disabled in a future release.">
-<!ENTITY enableTls10.label "Enable TLS 1.0 and 1.1">
-
 <!ENTITY networkProtocolError.longDesc "<p>The page you are trying to view cannot be shown because an error in the network protocol was detected.</p><ul><li>Please contact the website owners to inform them of this problem.</li></ul>">
--- a/browser/themes/shared/aboutNetError.css
+++ b/browser/themes/shared/aboutNetError.css
@ -60,10 +60,6 @@ button:disabled {
  margin-top: 2em;
 }

-#enableTls10Container {
-  display: none;
-}
-
 #prefChangeContainer {
  display: none;
 }
--- a/toolkit/modules/RemotePageAccessManager.jsm
+++ b/toolkit/modules/RemotePageAccessManager.jsm
@ -51,7 +51,6 @@ let RemotePageAccessManager = {
        "security.enterprise_roots.auto-enabled",
        "security.certerror.hideAddException",
      ],
-      RPMSetBoolPref: ["security.tls.version.enable-deprecated"],
      RPMGetIntPref: [
        "services.settings.clock_skew_seconds",
        "services.settings.last_update_seconds",
@ -88,16 +87,10 @@ let RemotePageAccessManager = {
      RPMGetFormatURLPref: ["app.support.baseURL"],
      RPMGetBoolPref: [
        "security.certerror.hideAddException",
-        "security.tls.version.enable-deprecated",
-        "security.certerrors.tls.version.show-override",
        "security.xfocsp.errorReporting.automatic",
        "security.xfocsp.errorReporting.enabled",
      ],
-      RPMSetBoolPref: [
-        "security.tls.version.enable-deprecated",
-        "security.xfocsp.errorReporting.automatic",
-      ],
-      RPMPrefIsLocked: ["security.tls.version.min"],
+      RPMSetBoolPref: ["security.xfocsp.errorReporting.automatic"],
      RPMAddToHistogram: ["*"],
      RPMGetInnerMostURI: ["*"],
      RPMGetHttpResponseHeader: ["*"],
--- a/tools/lint/eslint/eslint-plugin-mozilla/lib/environments/frame-script.js
+++ b/tools/lint/eslint/eslint-plugin-mozilla/lib/environments/frame-script.js
@ -29,7 +29,6 @@ module.exports = {
    RPMGetStringPref: false,
    RPMGetBoolPref: false,
    RPMSetBoolPref: false,
-    RPMPrefIsLocked: false,
    RPMGetFormatURLPref: false,
    RPMIsWindowPrivate: false,
    RPMSendAsyncMessage: false,