Bug 1124039 - Enable RC4 only if ClientHelloVersion <= TLS 1.0. r=keeler

browser/devtools/netmonitor/test/browser_net_security-state.js

@@ -16,6 +16,12 @@ add_task(function* () {
     "rc4.example.com": "security-state-weak",
   };
 
+  yield new promise(resolve => {
+    SpecialPowers.pushPrefEnv({"set": [
+      ["security.tls.insecure_fallback_hosts", "rc4.example.com"]
+    ]}, resolve);
+  });
+
   let [tab, debuggee, monitor] = yield initNetMonitor(CUSTOM_GET_URL);
   let { $, EVENTS, NetMonitorView } = monitor.panelWin;
   let { RequestsMenu } = NetMonitorView;

browser/devtools/netmonitor/test/browser_net_security-warnings.js

@@ -40,9 +40,12 @@ add_task(function* () {
   let { RequestsMenu, NetworkDetails } = NetMonitorView;
   RequestsMenu.lazyUpdate = false;
 
-  info("Enabling SSLv3 for the test.");
+  info("Enabling SSLv3 and RC4 for the test.");
   yield new promise(resolve => {
-    SpecialPowers.pushPrefEnv({"set": [["security.tls.version.min", 0]]}, resolve);
+    SpecialPowers.pushPrefEnv({"set": [
+      ["security.tls.version.min", 0],
+      ["security.tls.insecure_fallback_hosts", "rc4.example.com,ssl3rc4.example.com"]
+    ]}, resolve);
   });
 
   let cipher = $("#security-warning-cipher");

security/manager/ssl/src/nsNSSIOLayer.cpp

@@ -1227,26 +1227,6 @@ retryDueToTLSIntolerance(PRErrorCode err, nsNSSSocketInfo* socketInfo)
     return false;
   }
 
-  // Allow PR_CONNECT_RESET_ERROR only for whitelisted sites.
-  if (err == PR_CONNECT_RESET_ERROR &&
-      !socketInfo->SharedState().IOLayerHelpers()
-        .isInsecureFallbackSite(socketInfo->GetHostName())) {
-    return false;
-  }
-
-  if ((err == SSL_ERROR_NO_CYPHER_OVERLAP || err == PR_END_OF_FILE_ERROR ||
-       err == PR_CONNECT_RESET_ERROR) &&
-      nsNSSComponent::AreAnyWeakCiphersEnabled()) {
-    if (socketInfo->SharedState().IOLayerHelpers()
-                  .rememberStrongCiphersFailed(socketInfo->GetHostName(),
-                                               socketInfo->GetPort(), err)) {
-      Telemetry::Accumulate(Telemetry::SSL_WEAK_CIPHERS_FALLBACK,
-                            tlsIntoleranceTelemetryBucket(err));
-      return true;
-    }
-    Telemetry::Accumulate(Telemetry::SSL_WEAK_CIPHERS_FALLBACK, 0);
-  }
-
   // When not using a proxy we'll see a connection reset error.
   // When using a proxy, we'll see an end of file error.
   // In addition check for some error codes where it is reasonable
@@ -2635,18 +2615,20 @@ nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS,
   infoObject->SharedState().IOLayerHelpers()
     .adjustForTLSIntolerance(infoObject->GetHostName(), infoObject->GetPort(),
                              range, strongCiphersStatus);
+  bool useWeakCiphers = range.max <= SSL_LIBRARY_VERSION_TLS_1_0 &&
+                        nsNSSComponent::AreAnyWeakCiphersEnabled();
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
          ("[%p] nsSSLIOLayerSetOptions: using TLS version range (0x%04x,0x%04x)%s\n",
           fd, static_cast<unsigned int>(range.min),
               static_cast<unsigned int>(range.max),
-          strongCiphersStatus == StrongCiphersFailed ? " with weak ciphers" : ""));
+          useWeakCiphers ? " with weak ciphers" : ""));
 
   if (SSL_VersionRangeSet(fd, &range) != SECSuccess) {
     return NS_ERROR_FAILURE;
   }
   infoObject->SetTLSVersionRange(range);
 
-  if (strongCiphersStatus == StrongCiphersFailed) {
+  if (useWeakCiphers) {
     nsNSSComponent::UseWeakCiphersOnSocket(fd);
   }
 

toolkit/components/telemetry/Histograms.json

@@ -6641,12 +6641,6 @@
     "n_values": 16,
     "description": "TLS/SSL version fallback reached the minimum version (1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2) or the fallback limit (4=TLS 1.0, 8=TLS 1.1, 12=TLS 1.2), stopped the fallback"
   },
-  "SSL_WEAK_CIPHERS_FALLBACK": {
-    "expires_in_version": "never",
-    "kind": "enumerated",
-    "n_values": 64,
-    "description": "Fallback attempted when server did not support any strong cipher suites"
-  },
   "SSL_CIPHER_SUITE_FULL": {
     "expires_in_version": "never",
     "kind": "enumerated",