Backed out 4 changesets (bug 1579285, bug 1579270) for browser-chrome failures at browser/base/content/test/siteIdentity/browser_deprecatedTLSVersions.js on a CLOSED TREE

Backed out changeset 36d7cc55bd16 (bug 1579285) Backed out changeset 26e3ed3c1592 (bug 1579285) Backed out changeset 913652258fe6 (bug 1579285) Backed out changeset 0781e60dd54c (bug 1579270)
2019-09-27 04:19:59 +03:00 · 2019-09-27 04:19:59 +03:00 · 735d79f681
--- a/browser/base/content/aboutNetError.js
+++ b/browser/base/content/aboutNetError.js
@ -74,18 +74,6 @@ function showPrefChangeContainer() {
  addAutofocus("#prefResetButton", "beforeend");
 }

-function showTls10Container() {
-  const panel = document.getElementById("enableTls10Container");
-  panel.style.display = "block";
-  document.getElementById("netErrorButtonContainer").style.display = "none";
-  const button = document.getElementById("enableTls10Button");
-  button.addEventListener("click", function enableTls10(e) {
-    RPMSetBoolPref("security.tls.version.enable-deprecated", true);
-    retryThis(button);
-  });
-  addAutofocus("#enableTls10Button", "beforeend");
-}
-
 function setupAdvancedButton() {
  // Get the hostname and add it to the panel
  var panel = document.getElementById("badCertAdvancedPanel");
@ -276,36 +264,26 @@ function initPage() {
  if (err == "nssFailure2") {
    setupErrorUI();

-    const errorCode = document.getNetErrorInfo().errorCodeString;
-    const isTlsVersionError = errorCode == "SSL_ERROR_UNSUPPORTED_VERSION";
-    const tls10OverrideEnabled = RPMGetBoolPref(
-      "security.tls.version.enable-deprecated"
-    );
+    RPMAddMessageListener("HasChangedCertPrefs", msg => {
+      let hasChangedCertPrefs = msg.data.hasChangedCertPrefs;

-    if (isTlsVersionError && !tls10OverrideEnabled) {
-      // This is probably a TLS 1.0 server; offer to re-enable.
-      showTls10Container();
-    } else {
-      const hasPrefStyleError = [
+      let errorCode = document.getNetErrorInfo().errorCodeString;
+      let hasPrefStyleError = [
        "interrupted", // This happens with subresources that are above the max tls
-        "SSL_ERROR_NO_CIPHERS_SUPPORTED",
-        "SSL_ERROR_NO_CYPHER_OVERLAP",
        "SSL_ERROR_PROTOCOL_VERSION_ALERT",
        "SSL_ERROR_UNSUPPORTED_VERSION",
+        "SSL_ERROR_NO_CYPHER_OVERLAP",
+        "SSL_ERROR_NO_CIPHERS_SUPPORTED",
      ].some(substring => {
        return substring == errorCode;
      });

-      if (hasPrefStyleError) {
-        RPMAddMessageListener("HasChangedCertPrefs", msg => {
-          if (msg.data.hasChangedCertPrefs) {
-            // Configuration overrides might have caused this; offer to reset.
-            showPrefChangeContainer();
-          }
-        });
-        RPMSendAsyncMessage("GetChangedCertPrefs");
+      // If it looks like an error that is user config based
+      if (hasPrefStyleError && hasChangedCertPrefs) {
+        showPrefChangeContainer();
      }
-    }
+    });
+    RPMSendAsyncMessage("GetChangedCertPrefs");
  }

  if (err == "sslv3Used") {
--- a/browser/base/content/aboutNetError.xhtml
+++ b/browser/base/content/aboutNetError.xhtml
@ -181,14 +181,6 @@
          </div>
        </div>

-        <!-- UI to temporarily re-enable TLS 1.0 and 1.1.
-             This should be removed after March 2020, see bug 1579285.  -->
-        <div id="enableTls10Container" class="button-container">
-          <p>&enableTls10.longDesc;</p>
-          <p>&enableTls10.note;</p>
-          <button id="enableTls10Button" class="primary">&enableTls10.label;</button>
-        </div>
-
        <!-- UI for option to report certificate errors to Mozilla. Removed on
             init for other error types .-->
        <div id="prefChangeContainer" class="button-container">
--- a/browser/base/content/test/about/browser_aboutNetError.js
+++ b/browser/base/content/test/about/browser_aboutNetError.js
@ -3,25 +3,23 @@

 "use strict";

-const SSL3_PAGE = "https://ssl3.example.com/";
-const TLS10_PAGE = "https://tls1.example.com/";
-const TLS12_PAGE = "https://tls12.example.com/";
+const LOW_TLS_VERSION = "https://tls1.example.com/";

-add_task(async function resetToDefaultConfig() {
+add_task(async function checkReturnToPreviousPage() {
  info(
-    "Change TLS config to cause page load to fail, check that reset button is shown and that it works"
+    "Loading a TLS page that isn't supported, ensure we have a fix button and clicking it then loads the page"
  );

  // Set ourselves up for TLS error
-  Services.prefs.setIntPref("security.tls.version.min", 1); // TLS 1.0
-  Services.prefs.setIntPref("security.tls.version.max", 1);
+  Services.prefs.setIntPref("security.tls.version.max", 3);
+  Services.prefs.setIntPref("security.tls.version.min", 3);

  let browser;
  let pageLoaded;
  await BrowserTestUtils.openNewForegroundTab(
    gBrowser,
    () => {
-      gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser, TLS12_PAGE);
+      gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser, LOW_TLS_VERSION);
      browser = gBrowser.selectedBrowser;
      pageLoaded = BrowserTestUtils.waitForErrorPage(browser);
    },
@ -31,54 +29,59 @@ add_task(async function resetToDefaultConfig() {
  info("Loading and waiting for the net error");
  await pageLoaded;

-  // Setup an observer for the target page.
-  const finalLoadComplete = BrowserTestUtils.browserLoaded(
-    browser,
-    false,
-    TLS12_PAGE
-  );
-
-  await ContentTask.spawn(browser, null, async function() {
-    const doc = content.document;
+  // NB: This code assumes that the error page and the test page load in the
+  // same process. If this test starts to fail, it could be because they load
+  // in different processes.
+  await ContentTask.spawn(browser, LOW_TLS_VERSION, async function(
+    LOW_TLS_VERSION_
+  ) {
    ok(
-      doc.documentURI.startsWith("about:neterror"),
+      content.document.getElementById("prefResetButton").getBoundingClientRect()
+        .left >= 0,
+      "Should have a visible button"
+    );
+
+    ok(
+      content.document.documentURI.startsWith("about:neterror"),
      "Should be showing error page"
    );

-    const prefResetButton = doc.getElementById("prefResetButton");
-    ok(
-      ContentTaskUtils.is_visible(prefResetButton),
-      "prefResetButton should be visible"
-    );
+    let doc = content.document;
+    let prefResetButton = doc.getElementById("prefResetButton");
    is(
      prefResetButton.getAttribute("autofocus"),
      "true",
      "prefResetButton has autofocus"
    );
    prefResetButton.click();
+
+    await ContentTaskUtils.waitForEvent(this, "pageshow", true);
+
+    is(
+      content.document.documentURI,
+      LOW_TLS_VERSION_,
+      "Should not be showing page"
+    );
  });

-  info("Waiting for the TLS 1.2 page to load after the click");
-  await finalLoadComplete;
-
-  Services.prefs.clearUserPref("security.tls.version.min");
-  Services.prefs.clearUserPref("security.tls.version.max");
  BrowserTestUtils.removeTab(gBrowser.selectedTab);
 });

 add_task(async function checkLearnMoreLink() {
-  info("Load an unsupported TLS page and check for a learn more link");
+  info(
+    "Loading a TLS page that isn't supported and checking the learn more link"
+  );

  // Set ourselves up for TLS error
+  Services.prefs.setIntPref("security.tls.version.max", 3);
  Services.prefs.setIntPref("security.tls.version.min", 3);
-  Services.prefs.setIntPref("security.tls.version.max", 4);

  let browser;
  let pageLoaded;
  await BrowserTestUtils.openNewForegroundTab(
    gBrowser,
    () => {
-      gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser, TLS10_PAGE);
+      gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser, LOW_TLS_VERSION);
      browser = gBrowser.selectedBrowser;
      pageLoaded = BrowserTestUtils.waitForErrorPage(browser);
    },
@ -88,16 +91,16 @@ add_task(async function checkLearnMoreLink() {
  info("Loading and waiting for the net error");
  await pageLoaded;

-  const baseURL = Services.urlFormatter.formatURLPref("app.support.baseURL");
+  let baseURL = Services.urlFormatter.formatURLPref("app.support.baseURL");

  await ContentTask.spawn(browser, baseURL, function(_baseURL) {
-    const doc = content.document;
    ok(
-      doc.documentURI.startsWith("about:neterror"),
+      content.document.documentURI.startsWith("about:neterror"),
      "Should be showing error page"
    );

-    const learnMoreLink = doc.getElementById("learnMoreLink");
+    let doc = content.document;
+    let learnMoreLink = doc.getElementById("learnMoreLink");
    ok(
      ContentTaskUtils.is_visible(learnMoreLink),
      "Learn More link is visible"
@ -105,120 +108,7 @@ add_task(async function checkLearnMoreLink() {
    is(learnMoreLink.getAttribute("href"), _baseURL + "connection-not-secure");
  });

-  Services.prefs.clearUserPref("security.tls.version.min");
  Services.prefs.clearUserPref("security.tls.version.max");
-  BrowserTestUtils.removeTab(gBrowser.selectedTab);
-});
-
-add_task(async function checkEnable10() {
-  info(
-    "Load a page with a deprecated TLS version, an option to enable TLS 1.0 is offered and it works"
-  );
-
-  Services.prefs.setIntPref("security.tls.version.min", 3);
-  // Disable TLS 1.3 so that we trigger a SSL_ERROR_UNSUPPORTED_VERSION.
-  // As NSS generates an alert rather than negotiating a lower version
-  // if we use the supported_versions extension from TLS 1.3.
-  Services.prefs.setIntPref("security.tls.version.max", 3);
-
-  let browser;
-  let pageLoaded;
-  await BrowserTestUtils.openNewForegroundTab(
-    gBrowser,
-    () => {
-      gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser, TLS10_PAGE);
-      browser = gBrowser.selectedBrowser;
-      pageLoaded = BrowserTestUtils.waitForErrorPage(browser);
-    },
-    false
-  );
-
-  info("Loading and waiting for the net error");
-  await pageLoaded;
-
-  // Setup an observer for the target page.
-  const finalLoadComplete = BrowserTestUtils.browserLoaded(
-    browser,
-    false,
-    TLS10_PAGE
-  );
-
-  await ContentTask.spawn(browser, null, async function() {
-    const doc = content.document;
-    ok(
-      doc.documentURI.startsWith("about:neterror"),
-      "Should be showing error page"
-    );
-
-    const enableTls10Button = doc.getElementById("enableTls10Button");
-    ok(
-      ContentTaskUtils.is_visible(enableTls10Button),
-      "Option to re-enable TLS 1.0 is visible"
-    );
-    enableTls10Button.click();
-
-    // It should not also offer to reset preferences instead.
-    const prefResetButton = doc.getElementById("prefResetButton");
-    ok(
-      !ContentTaskUtils.is_visible(prefResetButton),
-      "prefResetButton should NOT be visible"
-    );
-  });
-
-  info("Waiting for the TLS 1.0 page to load after the click");
-  await finalLoadComplete;
-
-  Services.prefs.clearUserPref("security.tls.version.min");
-  Services.prefs.clearUserPref("security.tls.version.max");
-  Services.prefs.clearUserPref("security.tls.version.enable-deprecated");
-  BrowserTestUtils.removeTab(gBrowser.selectedTab);
-});
-
-add_task(async function dontOffer10WhenAlreadyEnabled() {
-  info("An option to enable TLS 1.0 is not offered if already enabled");
-
-  Services.prefs.setIntPref("security.tls.version.min", 3);
-  Services.prefs.setIntPref("security.tls.version.max", 3);
-  Services.prefs.setBoolPref("security.tls.version.enable-deprecated", true);
-
-  let browser;
-  let pageLoaded;
-  await BrowserTestUtils.openNewForegroundTab(
-    gBrowser,
-    () => {
-      gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser, SSL3_PAGE);
-      browser = gBrowser.selectedBrowser;
-      pageLoaded = BrowserTestUtils.waitForErrorPage(browser);
-    },
-    false
-  );
-
-  info("Loading and waiting for the net error");
-  await pageLoaded;
-
-  await ContentTask.spawn(browser, null, async function() {
-    const doc = content.document;
-    ok(
-      doc.documentURI.startsWith("about:neterror"),
-      "Should be showing error page"
-    );
-
-    const enableTls10Button = doc.getElementById("enableTls10Button");
-    ok(
-      !ContentTaskUtils.is_visible(enableTls10Button),
-      "Option to re-enable TLS 1.0 is not visible"
-    );
-
-    // It should offer to reset preferences instead.
-    const prefResetButton = doc.getElementById("prefResetButton");
-    ok(
-      ContentTaskUtils.is_visible(prefResetButton),
-      "prefResetButton should be visible"
-    );
-  });
-
-  Services.prefs.clearUserPref("security.tls.version.min");
-  Services.prefs.clearUserPref("security.tls.version.max");
-  Services.prefs.clearUserPref("security.tls.version.enable-deprecated");
+  Services.prefs.clearUserPref("security.tls.version.min");
  BrowserTestUtils.removeTab(gBrowser.selectedTab);
 });
--- a/browser/locales/en-US/chrome/overrides/netError.dtd
+++ b/browser/locales/en-US/chrome/overrides/netError.dtd
@ -230,9 +230,5 @@ was trying to connect. -->
 <!ENTITY prefReset.longDesc "It looks like your network security settings might be causing this. Do you want the default settings to be restored?">
 <!ENTITY prefReset.label "Restore default settings">

-<!ENTITY enableTls10.longDesc "This website might not support the TLS 1.2 protocol, which is the minimum version supported by &brandShortName;. Enabling TLS 1.0 and TLS 1.1 might allow this connection to succeed.">
-<!ENTITY enableTls10.note "TLS 1.0 and TLS 1.1 will be permanently disabled in a future release.">
-<!ENTITY enableTls10.label "Enable TLS 1.0 and 1.1">
-
 <!ENTITY networkProtocolError.title "Network Protocol Error">
 <!ENTITY networkProtocolError.longDesc "<p>The page you are trying to view cannot be shown because an error in the network protocol was detected.</p><ul><li>Please contact the website owners to inform them of this problem.</li></ul>">
--- a/browser/themes/shared/aboutNetError.css
+++ b/browser/themes/shared/aboutNetError.css
@ -47,10 +47,6 @@ button:disabled {
  margin-top: 2em;
 }

-#enableTls10Container {
-  display: none;
-}
-
 #prefChangeContainer {
  display: none;
 }
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@ -19,13 +19,8 @@
 // improves readability, particular for conditional blocks that exceed a single
 // screen.

-#ifdef RELEASE_OR_BETA
-  pref("security.tls.version.min", 1);
-#else
-  pref("security.tls.version.min", 3);
-#endif
+pref("security.tls.version.min", 1);
 pref("security.tls.version.max", 4);
-pref("security.tls.version.enable-deprecated", false);
 pref("security.tls.version.fallback-limit", 4);
 pref("security.tls.insecure_fallback_hosts", "");
 // Turn off post-handshake authentication for TLS 1.3 by default,
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@ -1259,14 +1259,6 @@ nsresult nsNSSComponent::setEnabledTLSVersions() {
  uint32_t maxFromPrefs = Preferences::GetUint("security.tls.version.max",
                                               PSM_DEFAULT_MAX_TLS_VERSION);

-  // This override should be removed when PSM_DEFAULT_MIN_TLS_VERSION is increased
-  // to 3 in March 2020, see bug 1579285.
-  bool enableDeprecated = Preferences::GetBool("security.tls.version.enable-deprecated",
-                                              false);
-  if (enableDeprecated) {
-    minFromPrefs = std::min(minFromPrefs, PSM_DEFAULT_MIN_TLS_VERSION);
-  }
-
  SSLVersionRange defaults = {
      SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MIN_TLS_VERSION,
      SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MAX_TLS_VERSION};
@ -1918,8 +1910,7 @@ nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic,
    NS_ConvertUTF16toUTF8 prefName(someData);

    if (prefName.EqualsLiteral("security.tls.version.min") ||
-        prefName.EqualsLiteral("security.tls.version.max") ||
-        prefName.EqualsLiteral("security.tls.version.enable-deprecated")) {
+        prefName.EqualsLiteral("security.tls.version.max")) {
      (void)setEnabledTLSVersions();
    } else if (prefName.EqualsLiteral("security.tls.hello_downgrade_check")) {
      bool enableDowngradeCheck = Preferences::GetBool(
--- a/toolkit/components/remotepagemanager/MessagePort.jsm
+++ b/toolkit/components/remotepagemanager/MessagePort.jsm
@ -56,10 +56,9 @@ let RPMAccessManager = {
    "about:neterror": {
      getFormatURLPref: ["app.support.baseURL"],
      getBoolPref: [
-        "security.certerror.hideAddException",
-        "security.ssl.errorReporting.automatic",
        "security.ssl.errorReporting.enabled",
-        "security.tls.version.enable-deprecated",
+        "security.ssl.errorReporting.automatic",
+        "security.certerror.hideAddException",
      ],
    },
    "about:privatebrowsing": {
--- a/toolkit/modules/AsyncPrefs.jsm
+++ b/toolkit/modules/AsyncPrefs.jsm
@ -26,8 +26,6 @@ const kAllowedPrefs = new Set([
  "reader.color_scheme",
  "reader.content_width",
  "reader.line_height",
-
-  "security.tls.version.enable-deprecated",
 ]);

 const kPrefTypeMap = new Map([