Bug 1579285 - Add pref to override minimum TLS version r=keeler

The intent of adding this pref is to allow us to change defaults for security.tls.version.min for a progressive rollout of a TLS 1.0 and 1.1 deprecation. During that process, we'd like to offer the option to enable these old TLS versions, without adding a pref override that would cause those versions to remain enabled once we finish the rollout. Those people who have triggered the override will be able to access TLS 1.0 and 1.1 sites until we eventually remove the code that respects this pref. What is likely to happen is that this pref will remain in code past the end of our rollout for part of a release cycle, plus maybe the next cycle depending on how timing works out. This pref is a simple boolean that we'll remove in March 2020. Differential Revision: https://phabricator.services.mozilla.com/D45798 --HG-- extra : moz-landing-system : lando
2019-09-16 19:36:08 +00:00 · 2019-09-16 19:36:08 +00:00 · bcf590a1d0
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@ -25,6 +25,7 @@
  pref("security.tls.version.min", 3);
 #endif
 pref("security.tls.version.max", 4);
+pref("security.tls.version.enable-deprecated", false);
 pref("security.tls.version.fallback-limit", 4);
 pref("security.tls.insecure_fallback_hosts", "");
 // Turn off post-handshake authentication for TLS 1.3 by default,
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@ -1259,6 +1259,14 @@ nsresult nsNSSComponent::setEnabledTLSVersions() {
  uint32_t maxFromPrefs = Preferences::GetUint("security.tls.version.max",
                                               PSM_DEFAULT_MAX_TLS_VERSION);

+  // This override should be removed when PSM_DEFAULT_MIN_TLS_VERSION is increased
+  // to 3 in March 2020, see bug 1579285.
+  bool enableDeprecated = Preferences::GetBool("security.tls.version.enable-deprecated",
+                                              false);
+  if (enableDeprecated) {
+    minFromPrefs = std::min(minFromPrefs, PSM_DEFAULT_MIN_TLS_VERSION);
+  }
+
  SSLVersionRange defaults = {
      SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MIN_TLS_VERSION,
      SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MAX_TLS_VERSION};
@ -1910,7 +1918,8 @@ nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic,
    NS_ConvertUTF16toUTF8 prefName(someData);

    if (prefName.EqualsLiteral("security.tls.version.min") ||
-        prefName.EqualsLiteral("security.tls.version.max")) {
+        prefName.EqualsLiteral("security.tls.version.max") ||
+        prefName.EqualsLiteral("security.tls.version.enable-deprecated")) {
      (void)setEnabledTLSVersions();
    } else if (prefName.EqualsLiteral("security.tls.hello_downgrade_check")) {
      bool enableDowngradeCheck = Preferences::GetBool(