mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1092998 - Deal with "cipher mismatch intolerant" servers. r=keeler

This commit is contained in:
Masatoshi Kimura 2014-11-27 07:19:11 +09:00
Родитель 5b9e4409a2
Коммит 8277eea9e9
4 изменённых файлов: 24 добавлений и 19 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

15
security/manager/ssl/src/nsNSSIOLayer.cpp
Просмотреть файл

@ -939,7 +939,8 @@ nsSSLIOLayerHelpers::rememberIntolerantAtVersion(const nsACString& hostName,
// returns true if we should retry the handshake
bool
nsSSLIOLayerHelpers::rememberStrongCiphersFailed(const nsACString& hostName,
int16_t port)
int16_t port,
PRErrorCode intoleranceReason)
{
nsCString key;
getSiteKey(hostName, port, key);
@ -956,7 +957,7 @@ nsSSLIOLayerHelpers::rememberStrongCiphersFailed(const nsACString& hostName,
} else {
entry.tolerant = 0;
entry.intolerant = 0;
entry.intoleranceReason = SSL_ERROR_NO_CYPHER_OVERLAP;
entry.intoleranceReason = intoleranceReason;
}
entry.strongCipherStatus = StrongCiphersFailed;
@ -1209,15 +1210,17 @@ retryDueToTLSIntolerance(PRErrorCode err, nsNSSSocketInfo* socketInfo)
.forgetIntolerance(socketInfo->GetHostName(), socketInfo->GetPort());
return false;
} else if (err == SSL_ERROR_NO_CYPHER_OVERLAP &&
} else if ((err == SSL_ERROR_NO_CYPHER_OVERLAP ||
err == PR_END_OF_FILE_ERROR) &&
nsNSSComponent::AreAnyWeakCiphersEnabled()) {
if (socketInfo->SharedState().IOLayerHelpers()
.rememberStrongCiphersFailed(socketInfo->GetHostName(),
socketInfo->GetPort())) {
Telemetry::Accumulate(Telemetry::SSL_WEAK_CIPHERS_FALLBACK, true);
socketInfo->GetPort(), err)) {
Telemetry::Accumulate(Telemetry::SSL_WEAK_CIPHERS_FALLBACK,
tlsIntoleranceTelemetryBucket(err));
return true;
}
Telemetry::Accumulate(Telemetry::SSL_WEAK_CIPHERS_FALLBACK, false);
Telemetry::Accumulate(Telemetry::SSL_WEAK_CIPHERS_FALLBACK, 0);
}
// When not using a proxy we'll see a connection reset error.

3
security/manager/ssl/src/nsNSSIOLayer.h
Просмотреть файл

@ -223,7 +223,8 @@ public:
bool rememberIntolerantAtVersion(const nsACString& hostname, int16_t port,
uint16_t intolerant, uint16_t minVersion,
PRErrorCode intoleranceReason);
bool rememberStrongCiphersFailed(const nsACString& hostName, int16_t port);
bool rememberStrongCiphersFailed(const nsACString& hostName, int16_t port,
PRErrorCode intoleranceReason);
void forgetIntolerance(const nsACString& hostname, int16_t port);
void adjustForTLSIntolerance(const nsACString& hostname, int16_t port,
/*in/out*/ SSLVersionRange& range,

22
security/manager/ssl/tests/gtest/TLSIntoleranceTest.cpp
Просмотреть файл

@ -33,7 +33,7 @@ TEST_F(TLSIntoleranceTest, Test_Full_Fallback_Process)
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
ASSERT_EQ(StrongCipherStatusUnknown, strongCipherStatus);
ASSERT_TRUE(helpers.rememberStrongCiphersFailed(HOST, PORT));
ASSERT_TRUE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0));
}
{
@ -45,7 +45,7 @@ TEST_F(TLSIntoleranceTest, Test_Full_Fallback_Process)
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
ASSERT_EQ(StrongCiphersFailed, strongCipherStatus);
ASSERT_FALSE(helpers.rememberStrongCiphersFailed(HOST, PORT));
ASSERT_FALSE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0));
ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT,
range.min, range.max, 0));
}
@ -59,7 +59,7 @@ TEST_F(TLSIntoleranceTest, Test_Full_Fallback_Process)
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
ASSERT_EQ(StrongCiphersFailed, strongCipherStatus);
ASSERT_FALSE(helpers.rememberStrongCiphersFailed(HOST, PORT));
ASSERT_FALSE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0));
ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT,
range.min, range.max, 0));
}
@ -73,7 +73,7 @@ TEST_F(TLSIntoleranceTest, Test_Full_Fallback_Process)
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.max);
ASSERT_EQ(StrongCiphersFailed, strongCipherStatus);
ASSERT_FALSE(helpers.rememberStrongCiphersFailed(HOST, PORT));
ASSERT_FALSE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0));
ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT,
range.min, range.max, 0));
}
@ -88,7 +88,7 @@ TEST_F(TLSIntoleranceTest, Test_Full_Fallback_Process)
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.max);
ASSERT_EQ(StrongCiphersFailed, strongCipherStatus);
ASSERT_FALSE(helpers.rememberStrongCiphersFailed(HOST, PORT));
ASSERT_FALSE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0));
// false because we reached the floor set by range.min
ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT,
range.min, range.max, 0));
@ -282,7 +282,7 @@ TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed)
{
helpers.mVersionFallbackLimit = SSL_LIBRARY_VERSION_TLS_1_1;
ASSERT_TRUE(helpers.rememberStrongCiphersFailed(HOST, PORT));
ASSERT_TRUE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0));
{
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
@ -342,7 +342,7 @@ TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed_At_1_1)
SSL_LIBRARY_VERSION_TLS_1_2 };
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
ASSERT_TRUE(helpers.rememberStrongCiphersFailed(HOST, PORT));
ASSERT_TRUE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0));
}
{
@ -375,7 +375,7 @@ TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed_With_High_Limit)
// to mark an origin as version intolerant fail
helpers.mVersionFallbackLimit = SSL_LIBRARY_VERSION_TLS_1_2;
// ...but weak ciphers fallback will not be disabled
ASSERT_TRUE(helpers.rememberStrongCiphersFailed(HOST, PORT));
ASSERT_TRUE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0));
ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT,
SSL_LIBRARY_VERSION_3_0,
SSL_LIBRARY_VERSION_TLS_1_2,
@ -392,7 +392,7 @@ TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed_With_High_Limit)
TEST_F(TLSIntoleranceTest, Test_Tolerant_Does_Not_Override_Weak_Ciphers_Fallback)
{
ASSERT_TRUE(helpers.rememberStrongCiphersFailed(HOST, PORT));
ASSERT_TRUE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0));
// No adjustment made when intolerant is zero.
helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1);
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
@ -409,7 +409,7 @@ TEST_F(TLSIntoleranceTest, Test_Weak_Ciphers_Fallback_Does_Not_Override_Tolerant
// No adjustment made when there is no entry for the site.
helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1);
// false because strongCipherWorked is set by rememberTolerantAtVersion.
ASSERT_FALSE(helpers.rememberStrongCiphersFailed(HOST, PORT));
ASSERT_FALSE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0));
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
SSL_LIBRARY_VERSION_TLS_1_2 };
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
@ -452,7 +452,7 @@ TEST_F(TLSIntoleranceTest, TLS_Forget_Intolerance)
TEST_F(TLSIntoleranceTest, TLS_Forget_Strong_Cipher_Failed)
{
{
ASSERT_TRUE(helpers.rememberStrongCiphersFailed(HOST, PORT));
ASSERT_TRUE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0));
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
SSL_LIBRARY_VERSION_TLS_1_2 };

3
toolkit/components/telemetry/Histograms.json
Просмотреть файл

@ -6455,7 +6455,8 @@
},
"SSL_WEAK_CIPHERS_FALLBACK": {
"expires_in_version": "never",
"kind": "boolean",
"kind": "enumerated",
"n_values": 64,
"description": "Fallback attempted when server did not support any strong cipher suites"
},
"SSL_CIPHER_SUITE_FULL": {