Backed out changeset 4f793a75cd93 (bug 1724072) for geckoview failures . CLOSED TREE

Author: nbeleuzu

browser/base/content/test/about/browser_aboutNetError.js

@@ -6,7 +6,6 @@
 const SSL3_PAGE = "https://ssl3.example.com/";
 const TLS10_PAGE = "https://tls1.example.com/";
 const TLS12_PAGE = "https://tls12.example.com/";
-const TRIPLEDES_PAGE = "https://3des.example.com/";
 
 // This includes all the cipher suite prefs we have.
 const CIPHER_SUITE_PREFS = [
@@ -26,7 +25,7 @@ const CIPHER_SUITE_PREFS = [
   "security.ssl3.rsa_aes_256_sha",
   "security.ssl3.rsa_aes_128_gcm_sha256",
   "security.ssl3.rsa_aes_256_gcm_sha384",
-  "security.ssl3.deprecated.rsa_des_ede3_sha",
+  "security.ssl3.rsa_des_ede3_sha",
   "security.tls13.aes_128_gcm_sha256",
   "security.tls13.aes_256_gcm_sha384",
   "security.tls13.chacha20_poly1305_sha256",
@@ -37,9 +36,6 @@ function resetPrefs() {
   Services.prefs.clearUserPref("security.tls.version.max");
   Services.prefs.clearUserPref("security.tls.version.enable-deprecated");
   Services.prefs.clearUserPref("security.certerrors.tls.version.show-override");
-  CIPHER_SUITE_PREFS.forEach(suitePref => {
-    Services.prefs.clearUserPref(suitePref);
-  });
 }
 
 add_task(async function resetToDefaultConfig() {
@@ -321,41 +317,3 @@ add_task(async function overrideUIPref() {
   resetPrefs();
   BrowserTestUtils.removeTab(gBrowser.selectedTab);
 });
-
-// Test that ciphersuites that use 3DES (namely, TLS_RSA_WITH_3DES_EDE_CBC_SHA)
-// can only be enabled when deprecated TLS is enabled.
-add_task(async function onlyAllow3DESWithDeprecatedTLS() {
-  // By default, connecting to a server that only uses 3DES should fail.
-  await BrowserTestUtils.withNewTab(
-    { gBrowser, url: "about:blank" },
-    async browser => {
-      BrowserTestUtils.loadURI(browser, TRIPLEDES_PAGE);
-      await BrowserTestUtils.waitForErrorPage(browser);
-    }
-  );
-
-  // Enabling deprecated TLS should also enable 3DES.
-  Services.prefs.setBoolPref("security.tls.version.enable-deprecated", true);
-  await BrowserTestUtils.withNewTab(
-    { gBrowser, url: "about:blank" },
-    async browser => {
-      BrowserTestUtils.loadURI(browser, TRIPLEDES_PAGE);
-      await BrowserTestUtils.browserLoaded(browser, false, TRIPLEDES_PAGE);
-    }
-  );
-
-  // 3DES can be disabled separately.
-  Services.prefs.setBoolPref(
-    "security.ssl3.deprecated.rsa_des_ede3_sha",
-    false
-  );
-  await BrowserTestUtils.withNewTab(
-    { gBrowser, url: "about:blank" },
-    async browser => {
-      BrowserTestUtils.loadURI(browser, TRIPLEDES_PAGE);
-      await BrowserTestUtils.waitForErrorPage(browser);
-    }
-  );
-
-  resetPrefs();
-});

browser/components/enterprisepolicies/Policies.jsm

@@ -554,7 +554,7 @@ var Policies = {
       }
       if ("TLS_RSA_WITH_3DES_EDE_CBC_SHA" in param) {
         setAndLockPref(
-          "security.ssl3.deprecated.rsa_des_ede3_sha",
+          "security.ssl3.rsa_des_ede3_sha",
           !param.TLS_RSA_WITH_3DES_EDE_CBC_SHA
         );
       }

browser/components/enterprisepolicies/tests/xpcshell/test_simple_pref_policies.js

@@ -755,7 +755,7 @@ const POLICIES_TESTS = [
       "security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256": true,
       "security.ssl3.rsa_aes_128_sha": true,
       "security.ssl3.rsa_aes_256_sha": true,
-      "security.ssl3.deprecated.rsa_des_ede3_sha": true,
+      "security.ssl3.rsa_des_ede3_sha": true,
       "security.ssl3.rsa_aes_128_gcm_sha256": true,
       "security.ssl3.rsa_aes_256_gcm_sha384": true,
     },
@@ -786,7 +786,7 @@ const POLICIES_TESTS = [
       "security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256": false,
       "security.ssl3.rsa_aes_128_sha": false,
       "security.ssl3.rsa_aes_256_sha": false,
-      "security.ssl3.deprecated.rsa_des_ede3_sha": false,
+      "security.ssl3.rsa_des_ede3_sha": false,
       "security.ssl3.rsa_aes_128_gcm_sha256": false,
       "security.ssl3.rsa_aes_256_gcm_sha384": false,
     },

build/pgo/certs/cert9.db

@@ -317,9 +317,10 @@ https://sha256ee.example.com:443                                  privileged,cer
 # Hosts for imminent distrust warning tests
 https://imminently-distrusted.example.com:443                     privileged,cert=imminently_distrusted
 
-# Hosts for ssl3/3des/tls1 warning tests
+# Hosts for ssl3/rc4/tls1 warning tests
 https://ssl3.example.com:443         privileged,ssl3
-https://3des.example.com:443         privileged,3des,tls1,tls1_2
+https://rc4.example.com:443          privileged,rc4
+https://ssl3rc4.example.com:443      privileged,ssl3,rc4
 https://tls1.example.com:443         privileged,tls1
 https://tls11.example.com:443        privileged,tls1_1
 https://tls12.example.com:443        privileged,tls1_2

build/pgo/certs/key4.db

@@ -53,7 +53,7 @@ pref("security.ssl3.rsa_aes_128_sha", true);
 pref("security.ssl3.rsa_aes_256_sha", true);
 pref("security.ssl3.rsa_aes_128_gcm_sha256", true);
 pref("security.ssl3.rsa_aes_256_gcm_sha384", true);
-pref("security.ssl3.deprecated.rsa_des_ede3_sha", true);
+pref("security.ssl3.rsa_des_ede3_sha", true);
 
 pref("security.content.signature.root_hash",
      "97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E");

build/pgo/certs/mochitest.client

@@ -1024,7 +1024,7 @@ nsresult LoadLoadableCertsTask::LoadLoadableRoots() {
 // Table of pref names and SSL cipher ID
 typedef struct {
   const char* pref;
-  int32_t id;
+  long id;
   bool enabledByDefault;
 } CipherPref;
 
@@ -1075,13 +1075,12 @@ static const CipherPref sCipherPrefs[] = {
      true},  // deprecated (RSA key exchange)
     {"security.ssl3.rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA,
      true},  // deprecated (RSA key exchange)
-};
+    {"security.ssl3.rsa_des_ede3_sha", TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+     true},  // deprecated (RSA key exchange, 3DES)
 
-// These ciphersuites can only be enabled if deprecated versions of TLS are
-// also enabled (via the preference "security.tls.version.enable-deprecated").
-static const CipherPref sDeprecatedTLS1CipherPrefs[] = {
-    {"security.ssl3.deprecated.rsa_des_ede3_sha", TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-     true},
+    // All the rest are disabled
+
+    {nullptr, 0}  // end marker
 };
 
 // This function will convert from pref values like 1, 2, ...
@@ -1358,25 +1357,6 @@ nsresult CipherSuiteChangeObserver::StartObserve() {
   return NS_OK;
 }
 
-// Enables or disabled ciphersuites from deprecated versions of TLS as
-// appropriate. If security.tls.version.enable-deprecated is true, these
-// ciphersuites may be enabled, if the corresponding preference is true.
-// Otherwise, these ciphersuites will be disabled.
-void SetDeprecatedTLS1CipherPrefs() {
-  if (Preferences::GetBool("security.tls.version.enable-deprecated", false)) {
-    for (const auto& deprecatedTLS1CipherPref : sDeprecatedTLS1CipherPrefs) {
-      bool cipherEnabled =
-          Preferences::GetBool(deprecatedTLS1CipherPref.pref,
-                               deprecatedTLS1CipherPref.enabledByDefault);
-      SSL_CipherPrefSetDefault(deprecatedTLS1CipherPref.id, cipherEnabled);
-    }
-  } else {
-    for (const auto& deprecatedTLS1CipherPref : sDeprecatedTLS1CipherPrefs) {
-      SSL_CipherPrefSetDefault(deprecatedTLS1CipherPref.id, false);
-    }
-  }
-}
-
 nsresult CipherSuiteChangeObserver::Observe(nsISupports* /*aSubject*/,
                                             const char* aTopic,
                                             const char16_t* someData) {
@@ -1386,16 +1366,16 @@ nsresult CipherSuiteChangeObserver::Observe(nsISupports* /*aSubject*/,
   if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) {
     NS_ConvertUTF16toUTF8 prefName(someData);
     // Look through the cipher table and set according to pref setting
-    for (const auto& cipherPref : sCipherPrefs) {
-      if (prefName.Equals(cipherPref.pref)) {
+    const CipherPref* const cp = sCipherPrefs;
+    for (size_t i = 0; cp[i].pref; ++i) {
+      if (prefName.Equals(cp[i].pref)) {
         bool cipherEnabled =
-            Preferences::GetBool(cipherPref.pref, cipherPref.enabledByDefault);
-        SSL_CipherPrefSetDefault(cipherPref.id, cipherEnabled);
+            Preferences::GetBool(cp[i].pref, cp[i].enabledByDefault);
+        SSL_CipherPrefSetDefault(cp[i].id, cipherEnabled);
+        nsNSSComponent::DoClearSSLExternalAndInternalSessionCache();
         break;
       }
     }
-    SetDeprecatedTLS1CipherPrefs();
-    nsNSSComponent::DoClearSSLExternalAndInternalSessionCache();
   } else if (nsCRT::strcmp(aTopic, NS_XPCOM_SHUTDOWN_OBSERVER_ID) == 0) {
     Preferences::RemoveObserver(this, "security.");
     MOZ_ASSERT(sObserver.get() == this);
@@ -2749,14 +2729,13 @@ nsresult InitializeCipherSuite() {
   }
 
   // Now only set SSL/TLS ciphers we knew about at compile time
-  for (const auto& cipherPref : sCipherPrefs) {
+  const CipherPref* const cp = sCipherPrefs;
+  for (size_t i = 0; cp[i].pref; ++i) {
     bool cipherEnabled =
-        Preferences::GetBool(cipherPref.pref, cipherPref.enabledByDefault);
-    SSL_CipherPrefSetDefault(cipherPref.id, cipherEnabled);
+        Preferences::GetBool(cp[i].pref, cp[i].enabledByDefault);
+    SSL_CipherPrefSetDefault(cp[i].id, cipherEnabled);
   }
 
-  SetDeprecatedTLS1CipherPrefs();
-
   // Enable ciphers for PKCS#12
   SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1);
   SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1);

build/pgo/server-locations.txt

@@ -684,7 +684,7 @@ def writeLocation(self, config, loc):
                 "tls1_2",
                 "tls1_3",
                 "ssl3",
-                "3des",
+                "rc4",
                 "failHandshake",
             ):
                 config.write(