mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1084025 - Add telemetry to measure failures due to not falling back. r=keeler

This commit is contained in:
Masatoshi Kimura 2014-12-09 07:19:05 +09:00
Родитель 9404624ff3
Коммит b95c85162f
3 изменённых файлов: 57 добавлений и 4 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

51
security/manager/ssl/src/nsNSSIOLayer.cpp
Просмотреть файл

@ -870,18 +870,21 @@ nsSSLIOLayerHelpers::rememberTolerantAtVersion(const nsACString& hostName,
mTLSIntoleranceInfo.Put(key, entry);
}
void nsSSLIOLayerHelpers::forgetIntolerance(const nsACString& hostName,
int16_t port)
uint16_t
nsSSLIOLayerHelpers::forgetIntolerance(const nsACString& hostName,
int16_t port)
{
nsCString key;
getSiteKey(hostName, port, key);
MutexAutoLock lock(mutex);
uint16_t tolerant = 0;
IntoleranceEntry entry;
if (mTLSIntoleranceInfo.Get(key, &entry)) {
entry.AssertInvariant();
tolerant = entry.tolerant;
entry.intolerant = 0;
entry.intoleranceReason = 0;
if (entry.strongCipherStatus != StrongCiphersWorked) {
@ -891,6 +894,8 @@ void nsSSLIOLayerHelpers::forgetIntolerance(const nsACString& hostName,
entry.AssertInvariant();
mTLSIntoleranceInfo.Put(key, entry);
}
return tolerant;
}
// returns true if we should retry the handshake
@ -903,7 +908,47 @@ nsSSLIOLayerHelpers::rememberIntolerantAtVersion(const nsACString& hostName,
{
if (intolerant <= minVersion || intolerant <= mVersionFallbackLimit) {
// We can't fall back any further. Assume that intolerance isn't the issue.
forgetIntolerance(hostName, port);
uint32_t tolerant = forgetIntolerance(hostName, port);
// If we know the server is tolerant at the version, we don't have to
// gather the telemetry.
if (intolerant <= tolerant) {
return false;
}
uint32_t fallbackLimitBucket = 0;
// added if the version has reached the min version.
if (intolerant <= minVersion) {
switch (minVersion) {
case SSL_LIBRARY_VERSION_TLS_1_0:
fallbackLimitBucket += 1;
break;
case SSL_LIBRARY_VERSION_TLS_1_1:
fallbackLimitBucket += 2;
break;
case SSL_LIBRARY_VERSION_TLS_1_2:
fallbackLimitBucket += 3;
break;
}
}
// added if the version has reached the fallback limit.
if (intolerant <= mVersionFallbackLimit) {
switch (mVersionFallbackLimit) {
case SSL_LIBRARY_VERSION_TLS_1_0:
fallbackLimitBucket += 4;
break;
case SSL_LIBRARY_VERSION_TLS_1_1:
fallbackLimitBucket += 8;
break;
case SSL_LIBRARY_VERSION_TLS_1_2:
fallbackLimitBucket += 12;
break;
}
}
if (fallbackLimitBucket) {
Telemetry::Accumulate(Telemetry::SSL_FALLBACK_LIMIT_REACHED,
fallbackLimitBucket);
}
return false;
}

4
security/manager/ssl/src/nsNSSIOLayer.h
Просмотреть файл

@ -225,7 +225,9 @@ public:
PRErrorCode intoleranceReason);
bool rememberStrongCiphersFailed(const nsACString& hostName, int16_t port,
PRErrorCode intoleranceReason);
void forgetIntolerance(const nsACString& hostname, int16_t port);
// returns the known tolerant version
// or 0 if there is no known tolerant version
uint16_t forgetIntolerance(const nsACString& hostname, int16_t port);
void adjustForTLSIntolerance(const nsACString& hostname, int16_t port,
/*in/out*/ SSLVersionRange& range,
/*out*/ StrongCipherStatus& strongCipherStatus);

6
toolkit/components/telemetry/Histograms.json
Просмотреть файл

@ -6480,6 +6480,12 @@
"n_values": 64,
"description": "TLS/SSL version intolerance was falsely detected, server rejected handshake"
},
"SSL_FALLBACK_LIMIT_REACHED": {
"expires_in_version": "default",
"kind": "enumerated",
"n_values": 16,
"description": "TLS/SSL version fallback reached the fallback limit (1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2) or the minimum version (4=TLS 1.0, 8=TLS 1.1, 12=TLS 1.2), stopped the fallback"
},
"SSL_WEAK_CIPHERS_FALLBACK": {
"expires_in_version": "never",
"kind": "enumerated",