mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-12-02 18:08:58 +00:00
Bug 1128763 - Do insecure fallback after PR_CONNECT_RESET_ERROR for whitelisted sites only. r=keeler
This commit is contained in:
parent
6fbc2ae89f
commit
21dab1da42
@ -1224,6 +1224,14 @@ retryDueToTLSIntolerance(PRErrorCode err, nsNSSSocketInfo* socketInfo)
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
// Allow PR_CONNECT_RESET_ERROR only for whitelisted sites.
|
||||
if (err == PR_CONNECT_RESET_ERROR &&
|
||||
!socketInfo->SharedState().IOLayerHelpers()
|
||||
.isInsecureFallbackSite(socketInfo->GetHostName())) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if ((err == SSL_ERROR_NO_CYPHER_OVERLAP || err == PR_END_OF_FILE_ERROR ||
|
||||
err == PR_CONNECT_RESET_ERROR) &&
|
||||
nsNSSComponent::AreAnyWeakCiphersEnabled()) {
|
||||
@ -1835,6 +1843,13 @@ nsSSLIOLayerHelpers::setInsecureFallbackSites(const nsCString& str)
|
||||
}
|
||||
}
|
||||
|
||||
bool
|
||||
nsSSLIOLayerHelpers::isInsecureFallbackSite(const nsACString& hostname)
|
||||
{
|
||||
MutexAutoLock lock(mutex);
|
||||
return mInsecureFallbackSites.Contains(hostname);
|
||||
}
|
||||
|
||||
void
|
||||
nsSSLIOLayerHelpers::setTreatUnsafeNegotiationAsBroken(bool broken)
|
||||
{
|
||||
|
@ -232,6 +232,7 @@ public:
|
||||
void clearStoredData();
|
||||
void loadVersionFallbackLimit();
|
||||
void setInsecureFallbackSites(const nsCString& str);
|
||||
bool isInsecureFallbackSite(const nsACString& hostname);
|
||||
|
||||
bool mFalseStartRequireNPN;
|
||||
bool mFalseStartRequireForwardSecrecy;
|
||||
|
Loading…
Reference in New Issue
Block a user