зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1106470 - Drop SSLv3 support entirely from PSM. r=keeler
This commit is contained in:
Родитель
b6f5257874
Коммит
83b1b594b5
|
@ -1140,15 +1140,15 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
|
|||
infoObject->GetPort(),
|
||||
versions.max);
|
||||
|
||||
bool usesWeakProtocol = false;
|
||||
bool usesWeakCipher = false;
|
||||
SSLChannelInfo channelInfo;
|
||||
rv = SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo));
|
||||
MOZ_ASSERT(rv == SECSuccess);
|
||||
if (rv == SECSuccess) {
|
||||
// Get the protocol version for telemetry
|
||||
// 0=ssl3, 1=tls1, 2=tls1.1, 3=tls1.2
|
||||
// 1=tls1, 2=tls1.1, 3=tls1.2
|
||||
unsigned int versionEnum = channelInfo.protocolVersion & 0xFF;
|
||||
MOZ_ASSERT(versionEnum > 0);
|
||||
Telemetry::Accumulate(Telemetry::SSL_HANDSHAKE_VERSION, versionEnum);
|
||||
AccumulateCipherSuite(
|
||||
infoObject->IsFullHandshake() ? Telemetry::SSL_CIPHER_SUITE_FULL
|
||||
|
@ -1160,8 +1160,6 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
|
|||
sizeof cipherInfo);
|
||||
MOZ_ASSERT(rv == SECSuccess);
|
||||
if (rv == SECSuccess) {
|
||||
usesWeakProtocol =
|
||||
channelInfo.protocolVersion <= SSL_LIBRARY_VERSION_3_0;
|
||||
usesWeakCipher = cipherInfo.symCipher == ssl_calg_rc4;
|
||||
|
||||
// keyExchange null=0, rsa=1, dh=2, fortezza=3, ecdh=4
|
||||
|
@ -1238,11 +1236,8 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
|
|||
ioLayerHelpers.treatUnsafeNegotiationAsBroken();
|
||||
|
||||
uint32_t state;
|
||||
if (usesWeakProtocol || usesWeakCipher || renegotiationUnsafe) {
|
||||
if (usesWeakCipher || renegotiationUnsafe) {
|
||||
state = nsIWebProgressListener::STATE_IS_BROKEN;
|
||||
if (usesWeakProtocol) {
|
||||
state |= nsIWebProgressListener::STATE_USES_SSL_3;
|
||||
}
|
||||
if (usesWeakCipher) {
|
||||
state |= nsIWebProgressListener::STATE_USES_WEAK_CRYPTO;
|
||||
}
|
||||
|
|
|
@ -701,9 +701,9 @@ nsNSSComponent::UseWeakCiphersOnSocket(PRFileDesc* fd)
|
|||
}
|
||||
}
|
||||
|
||||
// This function will convert from pref values like 0, 1, ...
|
||||
// to the internal values of SSL_LIBRARY_VERSION_3_0,
|
||||
// SSL_LIBRARY_VERSION_TLS_1_0, ...
|
||||
// This function will convert from pref values like 1, 2, ...
|
||||
// to the internal values of SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
// SSL_LIBRARY_VERSION_TLS_1_1, ...
|
||||
/*static*/ void
|
||||
nsNSSComponent::FillTLSVersionRange(SSLVersionRange& rangeOut,
|
||||
uint32_t minFromPrefs,
|
||||
|
@ -712,8 +712,8 @@ nsNSSComponent::FillTLSVersionRange(SSLVersionRange& rangeOut,
|
|||
{
|
||||
rangeOut = defaults;
|
||||
// determine what versions are supported
|
||||
SSLVersionRange range;
|
||||
if (SSL_VersionRangeGetSupported(ssl_variant_stream, &range)
|
||||
SSLVersionRange supported;
|
||||
if (SSL_VersionRangeGetSupported(ssl_variant_stream, &supported)
|
||||
!= SECSuccess) {
|
||||
return;
|
||||
}
|
||||
|
@ -723,7 +723,8 @@ nsNSSComponent::FillTLSVersionRange(SSLVersionRange& rangeOut,
|
|||
maxFromPrefs += SSL_LIBRARY_VERSION_3_0;
|
||||
// if min/maxFromPrefs are invalid, use defaults
|
||||
if (minFromPrefs > maxFromPrefs ||
|
||||
minFromPrefs < range.min || maxFromPrefs > range.max) {
|
||||
minFromPrefs < supported.min || maxFromPrefs > supported.max ||
|
||||
minFromPrefs < SSL_LIBRARY_VERSION_TLS_1_0) {
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -889,7 +890,7 @@ nsresult
|
|||
nsNSSComponent::setEnabledTLSVersions()
|
||||
{
|
||||
// keep these values in sync with security-prefs.js
|
||||
// 0 means SSL 3.0, 1 means TLS 1.0, 2 means TLS 1.1, etc.
|
||||
// 1 means TLS 1.0, 2 means TLS 1.1, etc.
|
||||
static const uint32_t PSM_DEFAULT_MIN_TLS_VERSION = 1;
|
||||
static const uint32_t PSM_DEFAULT_MAX_TLS_VERSION = 3;
|
||||
|
||||
|
|
|
@ -1174,20 +1174,9 @@ retryDueToTLSIntolerance(PRErrorCode err, nsNSSSocketInfo* socketInfo)
|
|||
|
||||
// When not using a proxy we'll see a connection reset error.
|
||||
// When using a proxy, we'll see an end of file error.
|
||||
// In addition check for some error codes where it is reasonable
|
||||
// to retry without TLS.
|
||||
|
||||
// Don't allow STARTTLS connections to fall back on connection resets or
|
||||
// EOF. Also, don't fall back from TLS 1.0 to SSL 3.0 for connection
|
||||
// resets, because connection resets have too many false positives,
|
||||
// and we want to maximize how often we send TLS 1.0+ with extensions
|
||||
// if at all reasonable. Unfortunately, it appears we have to allow
|
||||
// fallback from TLS 1.2 and TLS 1.1 for connection resets due to bad
|
||||
// servers and possibly bad intermediaries.
|
||||
if (err == PR_CONNECT_RESET_ERROR &&
|
||||
range.max <= SSL_LIBRARY_VERSION_TLS_1_0) {
|
||||
return false;
|
||||
}
|
||||
// EOF.
|
||||
if ((err == PR_CONNECT_RESET_ERROR || err == PR_END_OF_FILE_ERROR)
|
||||
&& socketInfo->GetForSTARTTLS()) {
|
||||
return false;
|
||||
|
@ -1213,10 +1202,6 @@ retryDueToTLSIntolerance(PRErrorCode err, nsNSSSocketInfo* socketInfo)
|
|||
pre = Telemetry::SSL_TLS10_INTOLERANCE_REASON_PRE;
|
||||
post = Telemetry::SSL_TLS10_INTOLERANCE_REASON_POST;
|
||||
break;
|
||||
case SSL_LIBRARY_VERSION_3_0:
|
||||
pre = Telemetry::SSL_SSL30_INTOLERANCE_REASON_PRE;
|
||||
post = Telemetry::SSL_SSL30_INTOLERANCE_REASON_POST;
|
||||
break;
|
||||
default:
|
||||
MOZ_CRASH("impossible TLS version");
|
||||
return false;
|
||||
|
|
|
@ -21,15 +21,15 @@ protected:
|
|||
|
||||
TEST_F(TLSIntoleranceTest, Test_Full_Fallback_Process)
|
||||
{
|
||||
helpers.mVersionFallbackLimit = SSL_LIBRARY_VERSION_3_0;
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, helpers.mVersionFallbackLimit);
|
||||
|
||||
// No adjustment made when there is no entry for the site.
|
||||
{
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
|
||||
ASSERT_EQ(StrongCipherStatusUnknown, strongCipherStatus);
|
||||
|
||||
|
@ -41,11 +41,11 @@ TEST_F(TLSIntoleranceTest, Test_Full_Fallback_Process)
|
|||
}
|
||||
|
||||
{
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
|
||||
ASSERT_EQ(StrongCiphersFailed, strongCipherStatus);
|
||||
|
||||
|
@ -55,11 +55,11 @@ TEST_F(TLSIntoleranceTest, Test_Full_Fallback_Process)
|
|||
}
|
||||
|
||||
{
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
|
||||
ASSERT_EQ(StrongCiphersFailed, strongCipherStatus);
|
||||
|
||||
|
@ -69,41 +69,25 @@ TEST_F(TLSIntoleranceTest, Test_Full_Fallback_Process)
|
|||
}
|
||||
|
||||
{
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.max);
|
||||
ASSERT_EQ(StrongCiphersFailed, strongCipherStatus);
|
||||
|
||||
ASSERT_FALSE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0));
|
||||
ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT,
|
||||
range.min, range.max, 0));
|
||||
}
|
||||
|
||||
{
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.max);
|
||||
ASSERT_EQ(StrongCiphersFailed, strongCipherStatus);
|
||||
|
||||
ASSERT_FALSE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0));
|
||||
// false because we reached the floor set by range.min
|
||||
ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT,
|
||||
range.min, range.max, 0));
|
||||
}
|
||||
|
||||
{
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
// When rememberIntolerantAtVersion returns false, it also resets the
|
||||
// intolerance information for the server.
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
|
||||
|
@ -117,29 +101,15 @@ TEST_F(TLSIntoleranceTest, Test_Disable_Fallback_With_High_Limit)
|
|||
// to mark an origin as version intolerant fail
|
||||
helpers.mVersionFallbackLimit = SSL_LIBRARY_VERSION_TLS_1_2;
|
||||
ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT,
|
||||
SSL_LIBRARY_VERSION_3_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2,
|
||||
0));
|
||||
ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT,
|
||||
SSL_LIBRARY_VERSION_3_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_1,
|
||||
0));
|
||||
ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT,
|
||||
SSL_LIBRARY_VERSION_3_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
0));
|
||||
}
|
||||
|
||||
TEST_F(TLSIntoleranceTest, Test_Fallback_Limit_Default)
|
||||
{
|
||||
// the default limit prevents SSL 3.0 fallback
|
||||
ASSERT_EQ(helpers.mVersionFallbackLimit, SSL_LIBRARY_VERSION_TLS_1_0);
|
||||
ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT,
|
||||
SSL_LIBRARY_VERSION_3_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_1,
|
||||
0));
|
||||
ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT,
|
||||
SSL_LIBRARY_VERSION_3_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
0));
|
||||
}
|
||||
|
@ -153,11 +123,11 @@ TEST_F(TLSIntoleranceTest, Test_Fallback_Limit_Below_Min)
|
|||
SSL_LIBRARY_VERSION_TLS_1_2,
|
||||
0));
|
||||
{
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
|
||||
ASSERT_EQ(StrongCipherStatusUnknown, strongCipherStatus);
|
||||
}
|
||||
|
@ -171,15 +141,15 @@ TEST_F(TLSIntoleranceTest, Test_Fallback_Limit_Below_Min)
|
|||
TEST_F(TLSIntoleranceTest, Test_Tolerant_Overrides_Intolerant_1)
|
||||
{
|
||||
ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT,
|
||||
SSL_LIBRARY_VERSION_3_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_1,
|
||||
0));
|
||||
helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1);
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
|
||||
ASSERT_EQ(StrongCiphersWorked, strongCipherStatus);
|
||||
}
|
||||
|
@ -187,15 +157,15 @@ TEST_F(TLSIntoleranceTest, Test_Tolerant_Overrides_Intolerant_1)
|
|||
TEST_F(TLSIntoleranceTest, Test_Tolerant_Overrides_Intolerant_2)
|
||||
{
|
||||
ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT,
|
||||
SSL_LIBRARY_VERSION_3_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_1,
|
||||
0));
|
||||
helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_2);
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
|
||||
ASSERT_EQ(StrongCiphersWorked, strongCipherStatus);
|
||||
}
|
||||
|
@ -206,14 +176,14 @@ TEST_F(TLSIntoleranceTest, Test_Intolerant_Does_Not_Override_Tolerant)
|
|||
helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1);
|
||||
// false because we reached the floor set by rememberTolerantAtVersion.
|
||||
ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT,
|
||||
SSL_LIBRARY_VERSION_3_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_1,
|
||||
0));
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
|
||||
ASSERT_EQ(StrongCiphersWorked, strongCipherStatus);
|
||||
}
|
||||
|
@ -222,16 +192,16 @@ TEST_F(TLSIntoleranceTest, Test_Port_Is_Relevant)
|
|||
{
|
||||
helpers.rememberTolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_2);
|
||||
ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, 1,
|
||||
SSL_LIBRARY_VERSION_3_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2,
|
||||
0));
|
||||
ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, 2,
|
||||
SSL_LIBRARY_VERSION_3_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2,
|
||||
0));
|
||||
|
||||
{
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, 1, range, strongCipherStatus);
|
||||
|
@ -239,7 +209,7 @@ TEST_F(TLSIntoleranceTest, Test_Port_Is_Relevant)
|
|||
}
|
||||
|
||||
{
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, 2, range, strongCipherStatus);
|
||||
|
@ -257,12 +227,12 @@ TEST_F(TLSIntoleranceTest, Test_Intolerance_Reason_Initial)
|
|||
|
||||
TEST_F(TLSIntoleranceTest, Test_Intolerance_Reason_Stored)
|
||||
{
|
||||
helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_3_0,
|
||||
helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2,
|
||||
SSL_ERROR_BAD_SERVER);
|
||||
ASSERT_EQ(SSL_ERROR_BAD_SERVER, helpers.getIntoleranceReason(HOST, 1));
|
||||
|
||||
helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_3_0,
|
||||
helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_1,
|
||||
SSL_ERROR_BAD_MAC_READ);
|
||||
ASSERT_EQ(SSL_ERROR_BAD_MAC_READ, helpers.getIntoleranceReason(HOST, 1));
|
||||
|
@ -272,7 +242,7 @@ TEST_F(TLSIntoleranceTest, Test_Intolerance_Reason_Cleared)
|
|||
{
|
||||
ASSERT_EQ(0, helpers.getIntoleranceReason(HOST, 1));
|
||||
|
||||
helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_3_0,
|
||||
helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2,
|
||||
SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
|
||||
ASSERT_EQ(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT,
|
||||
|
@ -289,11 +259,11 @@ TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed)
|
|||
ASSERT_TRUE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0));
|
||||
|
||||
{
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
|
||||
ASSERT_EQ(StrongCiphersFailed, strongCipherStatus);
|
||||
|
||||
|
@ -302,11 +272,11 @@ TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed)
|
|||
}
|
||||
|
||||
{
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
|
||||
ASSERT_EQ(StrongCiphersFailed, strongCipherStatus);
|
||||
|
||||
|
@ -315,11 +285,11 @@ TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed)
|
|||
}
|
||||
|
||||
{
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
// When rememberIntolerantAtVersion returns false, it also resets the
|
||||
// intolerance information for the server.
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
|
||||
|
@ -329,11 +299,11 @@ TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed)
|
|||
|
||||
TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed_At_1_1)
|
||||
{
|
||||
helpers.mVersionFallbackLimit = SSL_LIBRARY_VERSION_3_0;
|
||||
helpers.mVersionFallbackLimit = SSL_LIBRARY_VERSION_TLS_1_0;
|
||||
|
||||
// No adjustment made when there is no entry for the site.
|
||||
{
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
|
@ -342,7 +312,7 @@ TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed_At_1_1)
|
|||
}
|
||||
|
||||
{
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
|
@ -350,11 +320,11 @@ TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed_At_1_1)
|
|||
}
|
||||
|
||||
{
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
|
||||
ASSERT_EQ(StrongCiphersFailed, strongCipherStatus);
|
||||
|
||||
|
@ -363,11 +333,11 @@ TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed_At_1_1)
|
|||
}
|
||||
|
||||
{
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.max);
|
||||
ASSERT_EQ(StrongCiphersFailed, strongCipherStatus);
|
||||
}
|
||||
|
@ -381,15 +351,15 @@ TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed_With_High_Limit)
|
|||
// ...but weak ciphers fallback will not be disabled
|
||||
ASSERT_TRUE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0));
|
||||
ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT,
|
||||
SSL_LIBRARY_VERSION_3_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2,
|
||||
0));
|
||||
ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT,
|
||||
SSL_LIBRARY_VERSION_3_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_1,
|
||||
0));
|
||||
ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT,
|
||||
SSL_LIBRARY_VERSION_3_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
0));
|
||||
}
|
||||
|
@ -399,11 +369,11 @@ TEST_F(TLSIntoleranceTest, Test_Tolerant_Does_Not_Override_Weak_Ciphers_Fallback
|
|||
ASSERT_TRUE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0));
|
||||
// No adjustment made when intolerant is zero.
|
||||
helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1);
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
|
||||
ASSERT_EQ(StrongCiphersFailed, strongCipherStatus);
|
||||
}
|
||||
|
@ -414,11 +384,11 @@ TEST_F(TLSIntoleranceTest, Test_Weak_Ciphers_Fallback_Does_Not_Override_Tolerant
|
|||
helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1);
|
||||
// false because strongCipherWorked is set by rememberTolerantAtVersion.
|
||||
ASSERT_FALSE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0));
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
|
||||
ASSERT_EQ(StrongCiphersWorked, strongCipherStatus);
|
||||
}
|
||||
|
@ -427,15 +397,15 @@ TEST_F(TLSIntoleranceTest, TLS_Forget_Intolerance)
|
|||
{
|
||||
{
|
||||
ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT,
|
||||
SSL_LIBRARY_VERSION_3_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2,
|
||||
0));
|
||||
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
|
||||
ASSERT_EQ(StrongCipherStatusUnknown, strongCipherStatus);
|
||||
}
|
||||
|
@ -443,11 +413,11 @@ TEST_F(TLSIntoleranceTest, TLS_Forget_Intolerance)
|
|||
{
|
||||
helpers.forgetIntolerance(HOST, PORT);
|
||||
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
|
||||
ASSERT_EQ(StrongCipherStatusUnknown, strongCipherStatus);
|
||||
}
|
||||
|
@ -458,7 +428,7 @@ TEST_F(TLSIntoleranceTest, TLS_Forget_Strong_Cipher_Failed)
|
|||
{
|
||||
ASSERT_TRUE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0));
|
||||
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
|
@ -468,7 +438,7 @@ TEST_F(TLSIntoleranceTest, TLS_Forget_Strong_Cipher_Failed)
|
|||
{
|
||||
helpers.forgetIntolerance(HOST, PORT);
|
||||
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
|
@ -481,26 +451,26 @@ TEST_F(TLSIntoleranceTest, TLS_Dont_Forget_Tolerance)
|
|||
{
|
||||
helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1);
|
||||
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
|
||||
ASSERT_EQ(StrongCiphersWorked, strongCipherStatus);
|
||||
}
|
||||
|
||||
{
|
||||
ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT,
|
||||
SSL_LIBRARY_VERSION_3_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2,
|
||||
0));
|
||||
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
|
||||
ASSERT_EQ(StrongCiphersWorked, strongCipherStatus);
|
||||
}
|
||||
|
@ -508,11 +478,11 @@ TEST_F(TLSIntoleranceTest, TLS_Dont_Forget_Tolerance)
|
|||
{
|
||||
helpers.forgetIntolerance(HOST, PORT);
|
||||
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
|
||||
SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
SSL_LIBRARY_VERSION_TLS_1_2 };
|
||||
StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown;
|
||||
helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
|
||||
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
|
||||
ASSERT_EQ(StrongCiphersWorked, strongCipherStatus);
|
||||
}
|
||||
|
|
|
@ -1230,7 +1230,7 @@
|
|||
"expires_in_version": "never",
|
||||
"kind": "enumerated",
|
||||
"n_values": 16,
|
||||
"description": "SSL Version (0=ssl3, 1=tls1, 2=tls1.1, 3=tls1.2)"
|
||||
"description": "SSL Version (1=tls1, 2=tls1.1, 3=tls1.2)"
|
||||
},
|
||||
"SSL_TIME_UNTIL_READY": {
|
||||
"expires_in_version": "never",
|
||||
|
@ -6721,18 +6721,6 @@
|
|||
"n_values": 64,
|
||||
"description": "detected symptom of TLS 1.0 intolerance, after considering historical info"
|
||||
},
|
||||
"SSL_SSL30_INTOLERANCE_REASON_PRE": {
|
||||
"expires_in_version": "never",
|
||||
"kind": "enumerated",
|
||||
"n_values": 64,
|
||||
"description": "detected symptom of SSL 3.0 intolerance, before considering historical info"
|
||||
},
|
||||
"SSL_SSL30_INTOLERANCE_REASON_POST": {
|
||||
"expires_in_version": "never",
|
||||
"kind": "enumerated",
|
||||
"n_values": 64,
|
||||
"description": "detected symptom of SSL 3.0 intolerance, after considering historical info"
|
||||
},
|
||||
"SSL_VERSION_FALLBACK_INAPPROPRIATE": {
|
||||
"expires_in_version": "never",
|
||||
"kind": "enumerated",
|
||||
|
|
Загрузка…
Ссылка в новой задаче