mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-12-02 10:00:54 +00:00
bug 1121706 - don't offer h2 in alpn if w/out mandatory suite r=hurley
--HG-- extra : rebase_source : 6220a4ace1df2f6cc7f02c98f46b331b251a42d2
This commit is contained in:
Patrick McManus
parent
4504972ef2
commit
dfe84c8ed8
@ -3283,6 +3283,11 @@ Http2Session::BufferOutput(const char *buf,
|
||||
bool // static
|
||||
Http2Session::ALPNCallback(nsISupports *securityInfo)
|
||||
{
|
||||
if (!gHttpHandler->IsH2MandatorySuiteEnabled()) {
|
||||
LOG3(("Http2Session::ALPNCallback Mandatory Cipher Suite Unavailable\n"));
|
||||
return false;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsISSLSocketControl> ssl = do_QueryInterface(securityInfo);
|
||||
LOG3(("Http2Session::ALPNCallback sslsocketcontrol=%p\n", ssl.get()));
|
||||
if (ssl) {
|
||||
|
||||
@ -83,6 +83,7 @@ extern PRThread *gSocketThread;
|
||||
#define INTL_ACCEPT_LANGUAGES "intl.accept_languages"
|
||||
#define BROWSER_PREF_PREFIX "browser.cache."
|
||||
#define DONOTTRACK_HEADER_ENABLED "privacy.donottrackheader.enabled"
|
||||
#define H2MANDATORY_SUITE "security.ssl3.ecdhe_rsa_aes_128_gcm_sha256"
|
||||
#define TELEMETRY_ENABLED "toolkit.telemetry.enabled"
|
||||
#define ALLOW_EXPERIMENTS "network.allow-experiments"
|
||||
#define SAFE_HINT_HEADER_VALUE "safeHint.enabled"
|
||||
@ -146,6 +147,7 @@ nsHttpHandler::nsHttpHandler()
|
||||
, mMaxRequestAttempts(10)
|
||||
, mMaxRequestDelay(10)
|
||||
, mIdleSynTimeout(250)
|
||||
, mH2MandatorySuiteEnabled(false)
|
||||
, mPipeliningEnabled(false)
|
||||
, mMaxConnections(24)
|
||||
, mMaxPersistentConnectionsPerServer(2)
|
||||
@ -273,6 +275,7 @@ nsHttpHandler::Init()
|
||||
prefBranch->AddObserver(BROWSER_PREF("disk_cache_ssl"), this, true);
|
||||
prefBranch->AddObserver(DONOTTRACK_HEADER_ENABLED, this, true);
|
||||
prefBranch->AddObserver(TELEMETRY_ENABLED, this, true);
|
||||
prefBranch->AddObserver(H2MANDATORY_SUITE, this, true);
|
||||
prefBranch->AddObserver(HTTP_PREF("tcp_keepalive.short_lived_connections"), this, true);
|
||||
prefBranch->AddObserver(HTTP_PREF("tcp_keepalive.long_lived_connections"), this, true);
|
||||
prefBranch->AddObserver(SAFE_HINT_HEADER_VALUE, this, true);
|
||||
@ -1378,6 +1381,17 @@ nsHttpHandler::PrefsChanged(nsIPrefBranch *prefs, const char *pref)
|
||||
}
|
||||
}
|
||||
|
||||
// "security.ssl3.ecdhe_rsa_aes_128_gcm_sha256" is the required h2 interop
|
||||
// suite.
|
||||
|
||||
if (PREF_CHANGED(H2MANDATORY_SUITE)) {
|
||||
cVar = false;
|
||||
rv = prefs->GetBoolPref(H2MANDATORY_SUITE, &cVar);
|
||||
if (NS_SUCCEEDED(rv)) {
|
||||
mH2MandatorySuiteEnabled = cVar;
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
// network.allow-experiments
|
||||
//
|
||||
|
||||
@ -318,6 +318,7 @@ public:
|
||||
PRIntervalTime GetPipelineTimeout() { return mPipelineReadTimeout; }
|
||||
|
||||
SpdyInformation *SpdyInfo() { return &mSpdyInfo; }
|
||||
bool IsH2MandatorySuiteEnabled() { return mH2MandatorySuiteEnabled; }
|
||||
|
||||
// returns true in between Init and Shutdown states
|
||||
bool Active() { return mHandlerActive; }
|
||||
@ -386,6 +387,7 @@ private:
|
||||
uint16_t mMaxRequestDelay;
|
||||
uint16_t mIdleSynTimeout;
|
||||
|
||||
bool mH2MandatorySuiteEnabled;
|
||||
bool mPipeliningEnabled;
|
||||
uint16_t mMaxConnections;
|
||||
uint8_t mMaxPersistentConnectionsPerServer;
|
||||
|
||||
@ -533,6 +533,23 @@ function test_http2_pushapi_1() {
|
||||
chan.asyncOpen(listener, chan);
|
||||
}
|
||||
|
||||
var WrongSuiteListener = function() {};
|
||||
WrongSuiteListener.prototype = new Http2CheckListener();
|
||||
WrongSuiteListener.prototype.shouldBeHttp2 = false;
|
||||
WrongSuiteListener.prototype.onStopRequest = function(request, ctx, status) {
|
||||
prefs.setBoolPref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true);
|
||||
Http2CheckListener.prototype.onStopRequest.call(this);
|
||||
};
|
||||
|
||||
// test that we use h1 without the mandatory cipher suite available
|
||||
function test_http2_wrongsuite() {
|
||||
prefs.setBoolPref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", false);
|
||||
var chan = makeChan("https://localhost:6944/wrongsuite");
|
||||
chan.loadFlags = Ci.nsIRequest.LOAD_FRESH_CONNECTION | Ci.nsIChannel.LOAD_INITIAL_DOCUMENT_URI;
|
||||
var listener = new WrongSuiteListener();
|
||||
chan.asyncOpen(listener, null);
|
||||
}
|
||||
|
||||
function test_http2_h11required_stream() {
|
||||
var chan = makeChan("https://localhost:6944/h11required_stream");
|
||||
var listener = new Http2CheckListener();
|
||||
@ -601,6 +618,7 @@ var tests = [ test_http2_post_big
|
||||
, test_http2_h11required_stream
|
||||
, test_http2_h11required_session
|
||||
, test_http2_retry_rst
|
||||
, test_http2_wrongsuite
|
||||
|
||||
// cleanup
|
||||
, test_complete
|
||||
|
||||
Loading…
Reference in New Issue
Block a user