From a7ed72cb2ecc31efeee663f5fde71eae9237c9f4 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Fri, 27 Sep 2019 01:26:08 +0000 Subject: [PATCH] Bug 1579285 - Add pref to override minimum TLS version r=keeler The intent of adding this pref is to allow us to change defaults for security.tls.version.min for a progressive rollout of a TLS 1.0 and 1.1 deprecation. During that process, we'd like to offer the option to enable these old TLS versions, without adding a pref override that would cause those versions to remain enabled once we finish the rollout. Those people who have triggered the override will be able to access TLS 1.0 and 1.1 sites until we eventually remove the code that respects this pref. What is likely to happen is that this pref will remain in code past the end of our rollout for part of a release cycle, plus maybe the next cycle depending on how timing works out. This pref is a simple boolean that we'll remove in March 2020. Differential Revision: https://phabricator.services.mozilla.com/D45798 --HG-- extra : moz-landing-system : lando --- modules/libpref/init/all.js | 1 + security/manager/ssl/nsNSSComponent.cpp | 11 ++++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js index df36202fe947..153e14ea61be 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js @@ -25,6 +25,7 @@ pref("security.tls.version.min", 3); #endif pref("security.tls.version.max", 4); +pref("security.tls.version.enable-deprecated", false); pref("security.tls.version.fallback-limit", 4); pref("security.tls.insecure_fallback_hosts", ""); // Turn off post-handshake authentication for TLS 1.3 by default, diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index 17eedaf921e2..715a2eaa15e2 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -1259,6 +1259,14 @@ nsresult nsNSSComponent::setEnabledTLSVersions() { uint32_t maxFromPrefs = Preferences::GetUint("security.tls.version.max", PSM_DEFAULT_MAX_TLS_VERSION); + // This override should be removed when PSM_DEFAULT_MIN_TLS_VERSION is increased + // to 3 in March 2020, see bug 1579285. + bool enableDeprecated = Preferences::GetBool("security.tls.version.enable-deprecated", + false); + if (enableDeprecated) { + minFromPrefs = std::min(minFromPrefs, PSM_DEFAULT_MIN_TLS_VERSION); + } + SSLVersionRange defaults = { SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MIN_TLS_VERSION, SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MAX_TLS_VERSION}; @@ -1910,7 +1918,8 @@ nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic, NS_ConvertUTF16toUTF8 prefName(someData); if (prefName.EqualsLiteral("security.tls.version.min") || - prefName.EqualsLiteral("security.tls.version.max")) { + prefName.EqualsLiteral("security.tls.version.max") || + prefName.EqualsLiteral("security.tls.version.enable-deprecated")) { (void)setEnabledTLSVersions(); } else if (prefName.EqualsLiteral("security.tls.hello_downgrade_check")) { bool enableDowngradeCheck = Preferences::GetBool(