Bug 1626495 - Re-enable TLS 1.0 for release, r=keeler

This effectively backs out https://hg.mozilla.org/mozilla-central/rev/1d07ac23cc5a95bd8247054acd87883fc4585738 MozReview-Commit-ID: 8tI373kNU62 Differential Revision: https://phabricator.services.mozilla.com/D69149 --HG-- extra : moz-landing-system : lando
2020-04-01 15:24:12 +00:00 · 2020-04-01 15:24:12 +00:00 · cbd463110b
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@ -19,7 +19,11 @@
 // improves readability, particular for conditional blocks that exceed a single
 // screen.

-pref("security.tls.version.min", 3);
+#if MOZ_UPDATE_CHANNEL == release || MOZ_UPDATE_CHANNEL == esr
+  pref("security.tls.version.min", 1);
+#else
+  pref("security.tls.version.min", 3);
+#endif
 pref("security.tls.version.max", 4);
 pref("security.tls.version.enable-deprecated", false);
 pref("security.tls.version.fallback-limit", 4);
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@ -1478,7 +1478,7 @@ void nsNSSComponent::UpdateCertVerifierWithEnterpriseRoots() {
 nsresult nsNSSComponent::SetEnabledTLSVersions() {
  // Keep these values in sync with all.js.
  // 1 means TLS 1.0, 2 means TLS 1.1, etc.
-  static const uint32_t PSM_DEFAULT_MIN_TLS_VERSION = 3;
+  static const uint32_t PSM_DEFAULT_MIN_TLS_VERSION = 1;
  static const uint32_t PSM_DEFAULT_MAX_TLS_VERSION = 4;
  static const uint32_t PSM_DEPRECATED_TLS_VERSION = 1;

--- a/toolkit/components/extensions/test/xpcshell/test_ext_privacy.js
+++ b/toolkit/components/extensions/test/xpcshell/test_ext_privacy.js
@ -24,6 +24,11 @@ AddonTestUtils.overrideCertDB();

 createAppInfo("xpcshell@tests.mozilla.org", "XPCShell", "1", "42");

+// Currently security.tls.version.min has a different default
+// value in Nightly and Beta as opposed to Release builds.
+const tlsMinPref = Services.prefs.getIntPref("security.tls.version.min");
+const tlsMinVer = tlsMinPref === 3 ? "TLSv1.2" : "TLSv1";
+
 add_task(async function test_privacy() {
  // Create an object to hold the values to which we will initialize the prefs.
  const SETTINGS = {
@ -279,7 +284,7 @@ add_task(async function test_privacy_other_prefs() {
      "media.peerconnection.ice.proxy_only": false,
    },
    "network.tlsVersionRestriction": {
-      "security.tls.version.min": 3,
+      "security.tls.version.min": tlsMinPref,
      "security.tls.version.max": 4,
    },
    "network.peerConnectionEnabled": {
@ -586,11 +591,11 @@ add_task(async function test_privacy_other_prefs() {
      maximum: "TLSv1.1",
    },
    {
-      "security.tls.version.min": 3,
+      "security.tls.version.min": tlsMinPref,
      "security.tls.version.max": 4,
    },
    {
-      minimum: "TLSv1.2",
+      minimum: tlsMinVer,
      maximum: "TLSv1.3",
    }
  );
@ -602,11 +607,11 @@ add_task(async function test_privacy_other_prefs() {
      maximum: "TLSv1.2",
    },
    {
-      "security.tls.version.min": 3,
+      "security.tls.version.min": tlsMinPref,
      "security.tls.version.max": 3,
    },
    {
-      minimum: "TLSv1.2",
+      minimum: tlsMinVer,
      maximum: "TLSv1.2",
    }
  );
@ -618,11 +623,11 @@ add_task(async function test_privacy_other_prefs() {
      maximum: "invalid",
    },
    {
-      "security.tls.version.min": 3,
+      "security.tls.version.min": tlsMinPref,
      "security.tls.version.max": 4,
    },
    {
-      minimum: "TLSv1.2",
+      minimum: tlsMinVer,
      maximum: "TLSv1.3",
    }
  );
@ -664,11 +669,11 @@ add_task(async function test_privacy_other_prefs() {
      maximum: "TLSv1.2",
    },
    {
-      "security.tls.version.min": 3,
+      "security.tls.version.min": tlsMinPref,
      "security.tls.version.max": 3,
    },
    {
-      minimum: "TLSv1.2",
+      minimum: tlsMinVer,
      maximum: "TLSv1.2",
    }
  );