Bug 1128763 - Do insecure fallback after PR_CONNECT_RESET_ERROR for whitelisted sites only. r=keeler

This commit is contained in:
Masatoshi Kimura 2015-02-05 22:02:32 +09:00
parent 6fbc2ae89f
commit 21dab1da42
2 changed files with 16 additions and 0 deletions

View File

@ -1224,6 +1224,14 @@ retryDueToTLSIntolerance(PRErrorCode err, nsNSSSocketInfo* socketInfo)
return false;
}
// Allow PR_CONNECT_RESET_ERROR only for whitelisted sites.
if (err == PR_CONNECT_RESET_ERROR &&
!socketInfo->SharedState().IOLayerHelpers()
.isInsecureFallbackSite(socketInfo->GetHostName())) {
return false;
}
if ((err == SSL_ERROR_NO_CYPHER_OVERLAP || err == PR_END_OF_FILE_ERROR ||
err == PR_CONNECT_RESET_ERROR) &&
nsNSSComponent::AreAnyWeakCiphersEnabled()) {
@ -1835,6 +1843,13 @@ nsSSLIOLayerHelpers::setInsecureFallbackSites(const nsCString& str)
}
}
bool
nsSSLIOLayerHelpers::isInsecureFallbackSite(const nsACString& hostname)
{
MutexAutoLock lock(mutex);
return mInsecureFallbackSites.Contains(hostname);
}
void
nsSSLIOLayerHelpers::setTreatUnsafeNegotiationAsBroken(bool broken)
{

View File

@ -232,6 +232,7 @@ public:
void clearStoredData();
void loadVersionFallbackLimit();
void setInsecureFallbackSites(const nsCString& str);
bool isInsecureFallbackSite(const nsACString& hostname);
bool mFalseStartRequireNPN;
bool mFalseStartRequireForwardSecrecy;