Bug 733642: Allow the user to enable any version of TLS that libssl supports, maintaining our current defaults, r=dolske

--HG-- extra : rebase_source : 3484236a9d357b70a88387e0f27d3757db79bd4b
2013-04-11 11:02:51 -07:00 · 2013-04-11 11:02:51 -07:00 · 7807ef4346
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@ -1014,8 +1014,8 @@ pref("services.sync.prefs.sync.security.OCSP.disable_button.managecrl", true);
 pref("services.sync.prefs.sync.security.OCSP.enabled", true);
 pref("services.sync.prefs.sync.security.OCSP.require", true);
 pref("services.sync.prefs.sync.security.default_personal_cert", true);
-pref("services.sync.prefs.sync.security.enable_ssl3", true);
-pref("services.sync.prefs.sync.security.enable_tls", true);
+pref("services.sync.prefs.sync.security.security.tls.version.min", true);
+pref("services.sync.prefs.sync.security.security.tls.version.max", true);
 pref("services.sync.prefs.sync.signon.rememberSignons", true);
 pref("services.sync.prefs.sync.spellchecker.dictionary", true);
 pref("services.sync.prefs.sync.xpinstall.whitelist.required", true);
--- a/netwerk/base/public/security-prefs.js
+++ b/netwerk/base/public/security-prefs.js
@ -2,8 +2,8 @@
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

-pref("security.enable_ssl3",             true);
-pref("security.enable_tls",		 true);
+pref("security.tls.version.min", 0);
+pref("security.tls.version.max", 1);
 pref("security.enable_tls_session_tickets", true);
 pref("security.enable_md5_signatures", false);

--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@ -1123,6 +1123,40 @@ void nsNSSComponent::setValidationOptions(nsIPrefBranch * pref)
  SSL_ClearSessionCache();
 }

+// Enable the TLS versions given in the prefs, defaulting to SSL 3.0 and
+// TLS 1.0 when the prefs aren't set or when they are set to invalid values.
+nsresult
+nsNSSComponent::setEnabledTLSVersions(nsIPrefBranch * prefBranch)
+{
+  // keep these values in sync with security-prefs.js and firefox.js
+  static const PRInt32 PSM_DEFAULT_MIN_TLS_VERSION = 0;
+  static const PRInt32 PSM_DEFAULT_MAX_TLS_VERSION = 1;
+
+  PRInt32 minVersion = PSM_DEFAULT_MIN_TLS_VERSION;
+  PRInt32 maxVersion = PSM_DEFAULT_MAX_TLS_VERSION;
+  mPrefBranch->GetIntPref("security.tls.version.min", &minVersion);
+  mPrefBranch->GetIntPref("security.tls.version.max", &maxVersion);
+
+  // 0 means SSL 3.0, 1 means TLS 1.0, 2 means TLS 1.1, etc.
+  minVersion += SSL_LIBRARY_VERSION_3_0;
+  maxVersion += SSL_LIBRARY_VERSION_3_0;
+
+  SSLVersionRange range = { (PRUint16) minVersion, (PRUint16) maxVersion };
+
+  if (minVersion != (PRInt32) range.min || // prevent truncation
+      maxVersion != (PRInt32) range.max || // prevent truncation
+      SSL_VersionRangeSetDefault(ssl_variant_stream, &range) != SECSuccess) {
+    range.min = SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MIN_TLS_VERSION;
+    range.max = SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MAX_TLS_VERSION;
+    if (SSL_VersionRangeSetDefault(ssl_variant_stream, &range)
+          != SECSuccess) {
+      return NS_ERROR_UNEXPECTED;
+    }
+  }
+
+  return NS_OK;
+}
+
 NS_IMETHODIMP
 nsNSSComponent::SkipOcsp()
 {
@ -1733,11 +1767,15 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)

      SSL_OptionSetDefault(SSL_ENABLE_SSL2, false);
      SSL_OptionSetDefault(SSL_V2_COMPATIBLE_HELLO, false);
-      bool enabled;
-      mPrefBranch->GetBoolPref("security.enable_ssl3", &enabled);
-      SSL_OptionSetDefault(SSL_ENABLE_SSL3, enabled);
-      mPrefBranch->GetBoolPref("security.enable_tls", &enabled);
-      SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled);
+
+      rv = setEnabledTLSVersions(mPrefBranch);
+      if (NS_FAILED(rv)) {
+        nsPSMInitPanic::SetPanic();
+        return NS_ERROR_UNEXPECTED;
+      }
+
+      bool enabled = true; // XXX: see bug 733644
+
      mPrefBranch->GetBoolPref("security.enable_md5_signatures", &enabled);
      configureMD5(enabled);

@ -2218,13 +2256,9 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic,
    bool enabled;
    NS_ConvertUTF16toUTF8  prefName(someData);

-    if (prefName.Equals("security.enable_ssl3")) {
-      mPrefBranch->GetBoolPref("security.enable_ssl3", &enabled);
-      SSL_OptionSetDefault(SSL_ENABLE_SSL3, enabled);
-      clearSessionCache = true;
-    } else if (prefName.Equals("security.enable_tls")) {
-      mPrefBranch->GetBoolPref("security.enable_tls", &enabled);
-      SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled);
+    if (prefName.Equals("security.tls.version.min") ||
+        prefName.Equals("security.tls.version.max")) {
+      (void) setEnabledTLSVersions(mPrefBranch);
      clearSessionCache = true;
    } else if (prefName.Equals("security.enable_md5_signatures")) {
      mPrefBranch->GetBoolPref("security.enable_md5_signatures", &enabled);
--- a/security/manager/ssl/src/nsNSSComponent.h
+++ b/security/manager/ssl/src/nsNSSComponent.h
@ -281,6 +281,7 @@ private:
  void UnloadLoadableRoots();
  void CleanupIdentityInfo();
  void setValidationOptions(nsIPrefBranch * pref);
+  nsresult setEnabledTLSVersions(nsIPrefBranch * pref);
  nsresult InitializePIPNSSBundle();
  nsresult ConfigureInternalPKCS11Token();
  nsresult RegisterPSMContentListener();