Bug 1207137 - Set a security state flag when weak crypto override is needed. r=keeler

security/manager/ssl/nsNSSIOLayer.cpp

@@ -1111,15 +1111,21 @@ retryDueToTLSIntolerance(PRErrorCode err, nsNSSSocketInfo* socketInfo)
 
   if ((err == SSL_ERROR_NO_CYPHER_OVERLAP || err == PR_END_OF_FILE_ERROR ||
        err == PR_CONNECT_RESET_ERROR) &&
-      (!fallbackLimitReached || helpers.mUnrestrictedRC4Fallback) &&
-      nsNSSComponent::AreAnyWeakCiphersEnabled()) {
-    if (helpers.rememberStrongCiphersFailed(socketInfo->GetHostName(),
-                                            socketInfo->GetPort(), err)) {
-      Telemetry::Accumulate(Telemetry::SSL_WEAK_CIPHERS_FALLBACK,
-                            tlsIntoleranceTelemetryBucket(err));
-      return true;
+       nsNSSComponent::AreAnyWeakCiphersEnabled()) {
+    if (!fallbackLimitReached || helpers.mUnrestrictedRC4Fallback) {
+      if (helpers.rememberStrongCiphersFailed(socketInfo->GetHostName(),
+                                              socketInfo->GetPort(), err)) {
+        Telemetry::Accumulate(Telemetry::SSL_WEAK_CIPHERS_FALLBACK,
+                              tlsIntoleranceTelemetryBucket(err));
+        return true;
+      }
+      Telemetry::Accumulate(Telemetry::SSL_WEAK_CIPHERS_FALLBACK, 0);
+    } else if (err == SSL_ERROR_NO_CYPHER_OVERLAP) {
+      // Indicate that the override UI should be shown.
+      socketInfo->SetSecurityState(
+        nsIWebProgressListener::STATE_IS_INSECURE |
+        nsIWebProgressListener::STATE_USES_WEAK_CRYPTO);
     }
-    Telemetry::Accumulate(Telemetry::SSL_WEAK_CIPHERS_FALLBACK, 0);
   }
 
   // When not using a proxy we'll see a connection reset error.