diff --git a/browser/devtools/netmonitor/test/browser_net_security-state.js b/browser/devtools/netmonitor/test/browser_net_security-state.js index 4db121e1f191..ae32473e6704 100644 --- a/browser/devtools/netmonitor/test/browser_net_security-state.js +++ b/browser/devtools/netmonitor/test/browser_net_security-state.js @@ -16,6 +16,12 @@ add_task(function* () { "rc4.example.com": "security-state-weak", }; + yield new promise(resolve => { + SpecialPowers.pushPrefEnv({"set": [ + ["security.tls.insecure_fallback_hosts", "rc4.example.com"] + ]}, resolve); + }); + let [tab, debuggee, monitor] = yield initNetMonitor(CUSTOM_GET_URL); let { $, EVENTS, NetMonitorView } = monitor.panelWin; let { RequestsMenu } = NetMonitorView; diff --git a/browser/devtools/netmonitor/test/browser_net_security-warnings.js b/browser/devtools/netmonitor/test/browser_net_security-warnings.js index 1cecfb85603c..f900c1d07a17 100644 --- a/browser/devtools/netmonitor/test/browser_net_security-warnings.js +++ b/browser/devtools/netmonitor/test/browser_net_security-warnings.js @@ -40,9 +40,12 @@ add_task(function* () { let { RequestsMenu, NetworkDetails } = NetMonitorView; RequestsMenu.lazyUpdate = false; - info("Enabling SSLv3 for the test."); + info("Enabling SSLv3 and RC4 for the test."); yield new promise(resolve => { - SpecialPowers.pushPrefEnv({"set": [["security.tls.version.min", 0]]}, resolve); + SpecialPowers.pushPrefEnv({"set": [ + ["security.tls.version.min", 0], + ["security.tls.insecure_fallback_hosts", "rc4.example.com,ssl3rc4.example.com"] + ]}, resolve); }); let cipher = $("#security-warning-cipher"); diff --git a/security/manager/ssl/src/nsNSSIOLayer.cpp b/security/manager/ssl/src/nsNSSIOLayer.cpp index a9a5df74ccfd..0e643adf5e88 100644 --- a/security/manager/ssl/src/nsNSSIOLayer.cpp +++ b/security/manager/ssl/src/nsNSSIOLayer.cpp @@ -1227,26 +1227,6 @@ retryDueToTLSIntolerance(PRErrorCode err, nsNSSSocketInfo* socketInfo) return false; } - // Allow PR_CONNECT_RESET_ERROR only for whitelisted sites. - if (err == PR_CONNECT_RESET_ERROR && - !socketInfo->SharedState().IOLayerHelpers() - .isInsecureFallbackSite(socketInfo->GetHostName())) { - return false; - } - - if ((err == SSL_ERROR_NO_CYPHER_OVERLAP || err == PR_END_OF_FILE_ERROR || - err == PR_CONNECT_RESET_ERROR) && - nsNSSComponent::AreAnyWeakCiphersEnabled()) { - if (socketInfo->SharedState().IOLayerHelpers() - .rememberStrongCiphersFailed(socketInfo->GetHostName(), - socketInfo->GetPort(), err)) { - Telemetry::Accumulate(Telemetry::SSL_WEAK_CIPHERS_FALLBACK, - tlsIntoleranceTelemetryBucket(err)); - return true; - } - Telemetry::Accumulate(Telemetry::SSL_WEAK_CIPHERS_FALLBACK, 0); - } - // When not using a proxy we'll see a connection reset error. // When using a proxy, we'll see an end of file error. // In addition check for some error codes where it is reasonable @@ -2635,18 +2615,20 @@ nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS, infoObject->SharedState().IOLayerHelpers() .adjustForTLSIntolerance(infoObject->GetHostName(), infoObject->GetPort(), range, strongCiphersStatus); + bool useWeakCiphers = range.max <= SSL_LIBRARY_VERSION_TLS_1_0 && + nsNSSComponent::AreAnyWeakCiphersEnabled(); PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("[%p] nsSSLIOLayerSetOptions: using TLS version range (0x%04x,0x%04x)%s\n", fd, static_cast(range.min), static_cast(range.max), - strongCiphersStatus == StrongCiphersFailed ? " with weak ciphers" : "")); + useWeakCiphers ? " with weak ciphers" : "")); if (SSL_VersionRangeSet(fd, &range) != SECSuccess) { return NS_ERROR_FAILURE; } infoObject->SetTLSVersionRange(range); - if (strongCiphersStatus == StrongCiphersFailed) { + if (useWeakCiphers) { nsNSSComponent::UseWeakCiphersOnSocket(fd); } diff --git a/toolkit/components/telemetry/Histograms.json b/toolkit/components/telemetry/Histograms.json index 1b1625809e25..55eeb0f16f31 100644 --- a/toolkit/components/telemetry/Histograms.json +++ b/toolkit/components/telemetry/Histograms.json @@ -6641,12 +6641,6 @@ "n_values": 16, "description": "TLS/SSL version fallback reached the minimum version (1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2) or the fallback limit (4=TLS 1.0, 8=TLS 1.1, 12=TLS 1.2), stopped the fallback" }, - "SSL_WEAK_CIPHERS_FALLBACK": { - "expires_in_version": "never", - "kind": "enumerated", - "n_values": 64, - "description": "Fallback attempted when server did not support any strong cipher suites" - }, "SSL_CIPHER_SUITE_FULL": { "expires_in_version": "never", "kind": "enumerated",