зеркало из https://github.com/mozilla/gecko-dev.git
bug 368126, client abandons SSL connection during bad cert dialogs
bug 365898, SSL handshake timeout is too short r=rrelyea
This commit is contained in:
Родитель
0d20506f60
Коммит
67ce3c3059
|
@ -185,6 +185,8 @@ nsNSSSocketInfo::nsNSSSocketInfo()
|
|||
mCanceled(PR_FALSE),
|
||||
mHasCleartextPhase(PR_FALSE),
|
||||
mHandshakeInProgress(PR_FALSE),
|
||||
mAllowTLSIntoleranceTimeout(PR_TRUE),
|
||||
mBlockedOnBadCertUI(PR_FALSE),
|
||||
mHandshakeStartTime(0),
|
||||
mPort(0),
|
||||
mCAChain(nsnull)
|
||||
|
@ -473,11 +475,29 @@ void nsNSSSocketInfo::SetHandshakeInProgress(PRBool aIsIn)
|
|||
}
|
||||
}
|
||||
|
||||
#define HANDSHAKE_TIMEOUT_SECONDS 8
|
||||
void nsNSSSocketInfo::SetBlockedOnBadCertUI(PRBool aCurrentlyBlockedOnUI)
|
||||
{
|
||||
if (mBlockedOnBadCertUI && !aCurrentlyBlockedOnUI)
|
||||
{
|
||||
// we were blocked and going back to unblocked,
|
||||
// so let's reset the handshake start time, in order to ensure
|
||||
// we do not count the amount of time while the UI was shown.
|
||||
mHandshakeStartTime = PR_IntervalNow();
|
||||
}
|
||||
|
||||
mBlockedOnBadCertUI = aCurrentlyBlockedOnUI;
|
||||
}
|
||||
|
||||
void nsNSSSocketInfo::SetAllowTLSIntoleranceTimeout(PRBool aAllow)
|
||||
{
|
||||
mAllowTLSIntoleranceTimeout = aAllow;
|
||||
}
|
||||
|
||||
#define HANDSHAKE_TIMEOUT_SECONDS 25
|
||||
|
||||
PRBool nsNSSSocketInfo::HandshakeTimeout()
|
||||
{
|
||||
if (!mHandshakeInProgress)
|
||||
if (!mHandshakeInProgress || !mAllowTLSIntoleranceTimeout || mBlockedOnBadCertUI)
|
||||
return PR_FALSE;
|
||||
|
||||
return ((PRIntervalTime)(PR_IntervalNow() - mHandshakeStartTime)
|
||||
|
@ -2488,6 +2508,7 @@ nsNSSBadCertHandler(void *arg, PRFileDesc *sslSocket)
|
|||
return SECFailure;
|
||||
}
|
||||
NS_ADDREF(nssCert);
|
||||
infoObject->SetBlockedOnBadCertUI(PR_TRUE);
|
||||
while (rv != SECSuccess) {
|
||||
//Func nsContinueDespiteCertError does the same set of checks as func.
|
||||
//nsCertErrorNeedsDialog. So, removing call to nsCertErrorNeedsDialog
|
||||
|
@ -2498,6 +2519,7 @@ nsNSSBadCertHandler(void *arg, PRFileDesc *sslSocket)
|
|||
rv = verifyCertAgain(peerCert, sslSocket, infoObject);
|
||||
error = PR_GetError();
|
||||
}
|
||||
infoObject->SetBlockedOnBadCertUI(PR_FALSE);
|
||||
NS_RELEASE(nssCert);
|
||||
CERT_DestroyCertificate(peerCert);
|
||||
if (rv != SECSuccess) {
|
||||
|
@ -2568,6 +2590,8 @@ nsSSLIOLayerSetOptions(PRFileDesc *fd, PRBool forSTARTTLS,
|
|||
if (nsSSLIOLayerHelpers::isKnownAsIntolerantSite(key)) {
|
||||
if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_TLS, PR_FALSE))
|
||||
return NS_ERROR_FAILURE;
|
||||
|
||||
infoObject->SetAllowTLSIntoleranceTimeout(PR_FALSE);
|
||||
|
||||
// We assume that protocols that use the STARTTLS mechanism should support
|
||||
// modern hellos. For other protocols, if we suspect a site
|
||||
|
|
|
@ -160,6 +160,9 @@ public:
|
|||
PRBool GetHandshakeInProgress() { return mHandshakeInProgress; }
|
||||
PRBool HandshakeTimeout();
|
||||
|
||||
void SetAllowTLSIntoleranceTimeout(PRBool aAllow);
|
||||
void SetBlockedOnBadCertUI(PRBool aCurrentlyBlockedOnUI);
|
||||
|
||||
nsresult RememberCAChain(CERTCertList *aCertList);
|
||||
|
||||
/* Set SSL Status values */
|
||||
|
@ -177,6 +180,8 @@ protected:
|
|||
PRPackedBool mCanceled;
|
||||
PRPackedBool mHasCleartextPhase;
|
||||
PRPackedBool mHandshakeInProgress;
|
||||
PRPackedBool mAllowTLSIntoleranceTimeout;
|
||||
PRPackedBool mBlockedOnBadCertUI;
|
||||
PRIntervalTime mHandshakeStartTime;
|
||||
PRInt32 mPort;
|
||||
nsXPIDLCString mHostName;
|
||||
|
|
Загрузка…
Ссылка в новой задаче