Backed out changeset 4f793a75cd93 (bug 1724072) for geckoview failures . CLOSED TREE

browser/base/content/test/about/browser_aboutNetError.js

@@ -6,7 +6,6 @@
 const SSL3_PAGE = "https://ssl3.example.com/";
 const TLS10_PAGE = "https://tls1.example.com/";
 const TLS12_PAGE = "https://tls12.example.com/";
-const TRIPLEDES_PAGE = "https://3des.example.com/";
 
 // This includes all the cipher suite prefs we have.
 const CIPHER_SUITE_PREFS = [
@@ -26,7 +25,7 @@ const CIPHER_SUITE_PREFS = [
   "security.ssl3.rsa_aes_256_sha",
   "security.ssl3.rsa_aes_128_gcm_sha256",
   "security.ssl3.rsa_aes_256_gcm_sha384",
-  "security.ssl3.deprecated.rsa_des_ede3_sha",
+  "security.ssl3.rsa_des_ede3_sha",
   "security.tls13.aes_128_gcm_sha256",
   "security.tls13.aes_256_gcm_sha384",
   "security.tls13.chacha20_poly1305_sha256",
@@ -37,9 +36,6 @@ function resetPrefs() {
   Services.prefs.clearUserPref("security.tls.version.max");
   Services.prefs.clearUserPref("security.tls.version.enable-deprecated");
   Services.prefs.clearUserPref("security.certerrors.tls.version.show-override");
-  CIPHER_SUITE_PREFS.forEach(suitePref => {
-    Services.prefs.clearUserPref(suitePref);
-  });
 }
 
 add_task(async function resetToDefaultConfig() {
@@ -321,41 +317,3 @@ add_task(async function overrideUIPref() {
   resetPrefs();
   BrowserTestUtils.removeTab(gBrowser.selectedTab);
 });
-
-// Test that ciphersuites that use 3DES (namely, TLS_RSA_WITH_3DES_EDE_CBC_SHA)
-// can only be enabled when deprecated TLS is enabled.
-add_task(async function onlyAllow3DESWithDeprecatedTLS() {
-  // By default, connecting to a server that only uses 3DES should fail.
-  await BrowserTestUtils.withNewTab(
-    { gBrowser, url: "about:blank" },
-    async browser => {
-      BrowserTestUtils.loadURI(browser, TRIPLEDES_PAGE);
-      await BrowserTestUtils.waitForErrorPage(browser);
-    }
-  );
-
-  // Enabling deprecated TLS should also enable 3DES.
-  Services.prefs.setBoolPref("security.tls.version.enable-deprecated", true);
-  await BrowserTestUtils.withNewTab(
-    { gBrowser, url: "about:blank" },
-    async browser => {
-      BrowserTestUtils.loadURI(browser, TRIPLEDES_PAGE);
-      await BrowserTestUtils.browserLoaded(browser, false, TRIPLEDES_PAGE);
-    }
-  );
-
-  // 3DES can be disabled separately.
-  Services.prefs.setBoolPref(
-    "security.ssl3.deprecated.rsa_des_ede3_sha",
-    false
-  );
-  await BrowserTestUtils.withNewTab(
-    { gBrowser, url: "about:blank" },
-    async browser => {
-      BrowserTestUtils.loadURI(browser, TRIPLEDES_PAGE);
-      await BrowserTestUtils.waitForErrorPage(browser);
-    }
-  );
-
-  resetPrefs();
-});

browser/components/enterprisepolicies/Policies.jsm

@@ -554,7 +554,7 @@ var Policies = {
       }
       if ("TLS_RSA_WITH_3DES_EDE_CBC_SHA" in param) {
         setAndLockPref(
-          "security.ssl3.deprecated.rsa_des_ede3_sha",
+          "security.ssl3.rsa_des_ede3_sha",
           !param.TLS_RSA_WITH_3DES_EDE_CBC_SHA
         );
       }

browser/components/enterprisepolicies/tests/xpcshell/test_simple_pref_policies.js

@@ -755,7 +755,7 @@ const POLICIES_TESTS = [
       "security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256": true,
       "security.ssl3.rsa_aes_128_sha": true,
       "security.ssl3.rsa_aes_256_sha": true,
-      "security.ssl3.deprecated.rsa_des_ede3_sha": true,
+      "security.ssl3.rsa_des_ede3_sha": true,
       "security.ssl3.rsa_aes_128_gcm_sha256": true,
       "security.ssl3.rsa_aes_256_gcm_sha384": true,
     },
@@ -786,7 +786,7 @@ const POLICIES_TESTS = [
       "security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256": false,
       "security.ssl3.rsa_aes_128_sha": false,
       "security.ssl3.rsa_aes_256_sha": false,
-      "security.ssl3.deprecated.rsa_des_ede3_sha": false,
+      "security.ssl3.rsa_des_ede3_sha": false,
       "security.ssl3.rsa_aes_128_gcm_sha256": false,
       "security.ssl3.rsa_aes_256_gcm_sha384": false,
     },

build/pgo/server-locations.txt

@@ -317,9 +317,10 @@ https://sha256ee.example.com:443                                  privileged,cer
 # Hosts for imminent distrust warning tests
 https://imminently-distrusted.example.com:443                     privileged,cert=imminently_distrusted
 
-# Hosts for ssl3/3des/tls1 warning tests
+# Hosts for ssl3/rc4/tls1 warning tests
 https://ssl3.example.com:443         privileged,ssl3
-https://3des.example.com:443         privileged,3des,tls1,tls1_2
+https://rc4.example.com:443          privileged,rc4
+https://ssl3rc4.example.com:443      privileged,ssl3,rc4
 https://tls1.example.com:443         privileged,tls1
 https://tls11.example.com:443        privileged,tls1_1
 https://tls12.example.com:443        privileged,tls1_2

modules/libpref/init/all.js

@@ -53,7 +53,7 @@ pref("security.ssl3.rsa_aes_128_sha", true);
 pref("security.ssl3.rsa_aes_256_sha", true);
 pref("security.ssl3.rsa_aes_128_gcm_sha256", true);
 pref("security.ssl3.rsa_aes_256_gcm_sha384", true);
-pref("security.ssl3.deprecated.rsa_des_ede3_sha", true);
+pref("security.ssl3.rsa_des_ede3_sha", true);
 
 pref("security.content.signature.root_hash",
      "97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E");

security/manager/ssl/nsNSSComponent.cpp

@@ -1024,7 +1024,7 @@ nsresult LoadLoadableCertsTask::LoadLoadableRoots() {
 // Table of pref names and SSL cipher ID
 typedef struct {
   const char* pref;
-  int32_t id;
+  long id;
   bool enabledByDefault;
 } CipherPref;
 
@@ -1075,13 +1075,12 @@ static const CipherPref sCipherPrefs[] = {
      true},  // deprecated (RSA key exchange)
     {"security.ssl3.rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA,
      true},  // deprecated (RSA key exchange)
-};
+    {"security.ssl3.rsa_des_ede3_sha", TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+     true},  // deprecated (RSA key exchange, 3DES)
 
-// These ciphersuites can only be enabled if deprecated versions of TLS are
+    // All the rest are disabled
-// also enabled (via the preference "security.tls.version.enable-deprecated").
+
-static const CipherPref sDeprecatedTLS1CipherPrefs[] = {
+    {nullptr, 0}  // end marker
-    {"security.ssl3.deprecated.rsa_des_ede3_sha", TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-     true},
 };
 
 // This function will convert from pref values like 1, 2, ...
@@ -1358,25 +1357,6 @@ nsresult CipherSuiteChangeObserver::StartObserve() {
   return NS_OK;
 }
 
-// Enables or disabled ciphersuites from deprecated versions of TLS as
-// appropriate. If security.tls.version.enable-deprecated is true, these
-// ciphersuites may be enabled, if the corresponding preference is true.
-// Otherwise, these ciphersuites will be disabled.
-void SetDeprecatedTLS1CipherPrefs() {
-  if (Preferences::GetBool("security.tls.version.enable-deprecated", false)) {
-    for (const auto& deprecatedTLS1CipherPref : sDeprecatedTLS1CipherPrefs) {
-      bool cipherEnabled =
-          Preferences::GetBool(deprecatedTLS1CipherPref.pref,
-                               deprecatedTLS1CipherPref.enabledByDefault);
-      SSL_CipherPrefSetDefault(deprecatedTLS1CipherPref.id, cipherEnabled);
-    }
-  } else {
-    for (const auto& deprecatedTLS1CipherPref : sDeprecatedTLS1CipherPrefs) {
-      SSL_CipherPrefSetDefault(deprecatedTLS1CipherPref.id, false);
-    }
-  }
-}
-
 nsresult CipherSuiteChangeObserver::Observe(nsISupports* /*aSubject*/,
                                             const char* aTopic,
                                             const char16_t* someData) {
@@ -1386,16 +1366,16 @@ nsresult CipherSuiteChangeObserver::Observe(nsISupports* /*aSubject*/,
   if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) {
     NS_ConvertUTF16toUTF8 prefName(someData);
     // Look through the cipher table and set according to pref setting
-    for (const auto& cipherPref : sCipherPrefs) {
+    const CipherPref* const cp = sCipherPrefs;
-      if (prefName.Equals(cipherPref.pref)) {
+    for (size_t i = 0; cp[i].pref; ++i) {
+      if (prefName.Equals(cp[i].pref)) {
         bool cipherEnabled =
-            Preferences::GetBool(cipherPref.pref, cipherPref.enabledByDefault);
+            Preferences::GetBool(cp[i].pref, cp[i].enabledByDefault);
-        SSL_CipherPrefSetDefault(cipherPref.id, cipherEnabled);
+        SSL_CipherPrefSetDefault(cp[i].id, cipherEnabled);
+        nsNSSComponent::DoClearSSLExternalAndInternalSessionCache();
         break;
       }
     }
-    SetDeprecatedTLS1CipherPrefs();
-    nsNSSComponent::DoClearSSLExternalAndInternalSessionCache();
   } else if (nsCRT::strcmp(aTopic, NS_XPCOM_SHUTDOWN_OBSERVER_ID) == 0) {
     Preferences::RemoveObserver(this, "security.");
     MOZ_ASSERT(sObserver.get() == this);
@@ -2749,14 +2729,13 @@ nsresult InitializeCipherSuite() {
   }
 
   // Now only set SSL/TLS ciphers we knew about at compile time
-  for (const auto& cipherPref : sCipherPrefs) {
+  const CipherPref* const cp = sCipherPrefs;
+  for (size_t i = 0; cp[i].pref; ++i) {
     bool cipherEnabled =
-        Preferences::GetBool(cipherPref.pref, cipherPref.enabledByDefault);
+        Preferences::GetBool(cp[i].pref, cp[i].enabledByDefault);
-    SSL_CipherPrefSetDefault(cipherPref.id, cipherEnabled);
+    SSL_CipherPrefSetDefault(cp[i].id, cipherEnabled);
   }
 
-  SetDeprecatedTLS1CipherPrefs();
-
   // Enable ciphers for PKCS#12
   SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1);
   SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1);

testing/mochitest/runtests.py

@@ -684,7 +684,7 @@ class SSLTunnel:
                 "tls1_2",
                 "tls1_3",
                 "ssl3",
-                "3des",
+                "rc4",
                 "failHandshake",
             ):
                 config.write(

testing/mochitest/ssltunnel/ssltunnel.cpp

@@ -146,7 +146,7 @@ struct server_info_t {
   PLHashTable* host_tls11_table;
   PLHashTable* host_tls12_table;
   PLHashTable* host_tls13_table;
-  PLHashTable* host_3des_table;
+  PLHashTable* host_rc4_table;
   PLHashTable* host_failhandshake_table;
 };
 
@@ -245,7 +245,7 @@ void SignalShutdown() {
 // available flags
 enum {
   USE_SSL3 = 1 << 0,
-  USE_3DES = 1 << 1,
+  USE_RC4 = 1 << 1,
   FAIL_HANDSHAKE = 1 << 2,
   USE_TLS1 = 1 << 3,
   USE_TLS1_1 = 1 << 4,
@@ -306,8 +306,8 @@ bool ReadConnectRequest(server_info_t* server_info, relayBuffer& buffer,
     *flags |= USE_SSL3;
   }
 
-  if (PL_HashTableLookup(server_info->host_3des_table, token)) {
+  if (PL_HashTableLookup(server_info->host_rc4_table, token)) {
-    *flags |= USE_3DES;
+    *flags |= USE_RC4;
   }
 
   if (PL_HashTableLookup(server_info->host_tls1_table, token)) {
@@ -444,13 +444,20 @@ bool ConfigureSSLServerSocket(PRFileDesc* socket, server_info_t* si,
     return false;
   }
 
-  if (flags & USE_3DES) {
+  if (flags & USE_RC4) {
     for (uint16_t i = 0; i < SSL_NumImplementedCiphers; ++i) {
       uint16_t cipher_id = SSL_ImplementedCiphers[i];
-      if (cipher_id == TLS_RSA_WITH_3DES_EDE_CBC_SHA) {
+      switch (cipher_id) {
+        case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
+        case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
+        case TLS_RSA_WITH_RC4_128_SHA:
+        case TLS_RSA_WITH_RC4_128_MD5:
           SSL_CipherPrefSet(ssl_socket, cipher_id, true);
-      } else {
+          break;
+
+        default:
           SSL_CipherPrefSet(ssl_socket, cipher_id, false);
+          break;
       }
     }
   }
@@ -765,7 +772,7 @@ void HandleConnection(void* data) {
                                              match_hostname, &match);
                 PL_HashTableEnumerateEntries(ci->server_info->host_tls13_table,
                                              match_hostname, &match);
-                PL_HashTableEnumerateEntries(ci->server_info->host_3des_table,
+                PL_HashTableEnumerateEntries(ci->server_info->host_rc4_table,
                                              match_hostname, &match);
                 PL_HashTableEnumerateEntries(
                     ci->server_info->host_failhandshake_table, match_hostname,
@@ -1036,8 +1043,8 @@ PLHashTable* get_tls13_table(server_info_t* server) {
   return server->host_tls13_table;
 }
 
-PLHashTable* get_3des_table(server_info_t* server) {
+PLHashTable* get_rc4_table(server_info_t* server) {
-  return server->host_3des_table;
+  return server->host_rc4_table;
 }
 
 PLHashTable* get_failhandshake_table(server_info_t* server) {
@@ -1253,11 +1260,11 @@ int processConfigLine(char* configLine) {
         return 1;
       }
 
-      server.host_3des_table =
+      server.host_rc4_table =
           PL_NewHashTable(0, PL_HashString, PL_CompareStrings,
                           PL_CompareStrings, nullptr, nullptr);
       ;
-      if (!server.host_3des_table) {
+      if (!server.host_rc4_table) {
         LOG_ERROR(("Internal, could not create hash table\n"));
         return 1;
       }
@@ -1405,8 +1412,8 @@ int processConfigLine(char* configLine) {
     return parseWeakCryptoConfig(keyword, _caret, get_tls13_table);
   }
 
-  if (!strcmp(keyword, "3des")) {
+  if (!strcmp(keyword, "rc4")) {
-    return parseWeakCryptoConfig(keyword, _caret, get_3des_table);
+    return parseWeakCryptoConfig(keyword, _caret, get_rc4_table);
   }
 
   if (!strcmp(keyword, "failHandshake")) {
@@ -1500,7 +1507,7 @@ int freeTLSHashItems(PLHashEntry* he, int i, void* arg) {
   return HT_ENUMERATE_REMOVE;
 }
 
-int free3DESHashItems(PLHashEntry* he, int i, void* arg) {
+int freeRC4HashItems(PLHashEntry* he, int i, void* arg) {
   delete[](char*) he->key;
   return HT_ENUMERATE_REMOVE;
 }
@@ -1655,10 +1662,10 @@ int main(int argc, char** argv) {
                                  nullptr);
     PL_HashTableEnumerateEntries(server.host_tls13_table, freeTLSHashItems,
                                  nullptr);
-    PL_HashTableEnumerateEntries(server.host_3des_table, free3DESHashItems,
+    PL_HashTableEnumerateEntries(server.host_rc4_table, freeRC4HashItems,
                                  nullptr);
     PL_HashTableEnumerateEntries(server.host_failhandshake_table,
-                                 free3DESHashItems, nullptr);
+                                 freeRC4HashItems, nullptr);
     PL_HashTableDestroy(server.host_cert_table);
     PL_HashTableDestroy(server.host_clientauth_table);
     PL_HashTableDestroy(server.host_redir_table);
@@ -1667,7 +1674,7 @@ int main(int argc, char** argv) {
     PL_HashTableDestroy(server.host_tls11_table);
     PL_HashTableDestroy(server.host_tls12_table);
     PL_HashTableDestroy(server.host_tls13_table);
-    PL_HashTableDestroy(server.host_3des_table);
+    PL_HashTableDestroy(server.host_rc4_table);
     PL_HashTableDestroy(server.host_failhandshake_table);
   }