diff --git a/browser/devtools/webconsole/test/browser_webconsole_certificate_messages.js b/browser/devtools/webconsole/test/browser_webconsole_certificate_messages.js index 8f41d13222f..d469b941155 100644 --- a/browser/devtools/webconsole/test/browser_webconsole_certificate_messages.js +++ b/browser/devtools/webconsole/test/browser_webconsole_certificate_messages.js @@ -2,87 +2,72 @@ /* Any copyright is dedicated to the Public Domain. * http://creativecommons.org/publicdomain/zero/1.0/ */ -// Tests that the Web Console shows weak crypto warnings (SHA-1 Certificate, SSLv3, and RC4) +// Tests that the Web Console shows SHA-1 Certificate warnings -const TEST_URI_PATH = "/browser/browser/devtools/webconsole/test/test-certificate-messages.html"; -let gWebconsoleTests = [ - {url: "https://sha1ee.example.com" + TEST_URI_PATH, - name: "SHA1 warning displayed successfully", - warning: ["SHA-1"], nowarning: ["SSL 3.0", "RC4"]}, - {url: "https://ssl3.example.com" + TEST_URI_PATH, - name: "SSL3 warning displayed successfully", - pref: [["security.tls.version.min", 0]], - warning: ["SSL 3.0"], nowarning: ["SHA-1", "RC4"]}, - {url: "https://rc4.example.com" + TEST_URI_PATH, - name: "RC4 warning displayed successfully", - warning: ["RC4"], nowarning: ["SHA-1", "SSL 3.0"]}, - {url: "https://ssl3rc4.example.com" + TEST_URI_PATH, - name: "SSL3 and RC4 warning displayed successfully", - pref: [["security.tls.version.min", 0]], - warning: ["SSL 3.0", "RC4"], nowarning: ["SHA-1"]}, - {url: "https://sha256ee.example.com" + TEST_URI_PATH, - name: "SSL warnings appropriately not present", - warning: [], nowarning: ["SHA-1", "SSL 3.0", "RC4"]}, -]; +const TEST_BAD_URI = "https://sha1ee.example.com/browser/browser/devtools/webconsole/test/test-certificate-messages.html"; +const TEST_GOOD_URI = "https://sha256ee.example.com/browser/browser/devtools/webconsole/test/test-certificate-messages.html"; const TRIGGER_MSG = "If you haven't seen ssl warnings yet, you won't"; let gHud = undefined; -let gCurrentTest; function test() { registerCleanupFunction(function () { gHud = null; }); - addTab("data:text/html;charset=utf8,Web Console weak crypto warnings test"); + addTab("data:text/html;charset=utf8,Web Console SHA-1 warning test"); browser.addEventListener("load", function _onLoad() { browser.removeEventListener("load", _onLoad, true); - openConsole(null, runTestLoop); + openConsole(null, loadBadDocument); }, true); } -function runTestLoop(theHud) { - gCurrentTest = gWebconsoleTests.shift(); - if (!gCurrentTest) { - finishTest(); - } - if (!gHud) { - gHud = theHud; - } - gHud.jsterm.clearOutput(); - browser.addEventListener("load", onLoad, true); - if (gCurrentTest.pref) { - SpecialPowers.pushPrefEnv({"set": gCurrentTest.pref}, - function() { - content.location = gCurrentTest.url; - }); - } else { - content.location = gCurrentTest.url; - } +function loadBadDocument(theHud) { + gHud = theHud; + browser.addEventListener("load", onBadLoad, true); + content.location = TEST_BAD_URI; } -function onLoad(aEvent) { - browser.removeEventListener("load", onLoad, true); +function onBadLoad(aEvent) { + browser.removeEventListener("load", onBadLoad, true); + testForWarningMessage(); +} + +function loadGoodDocument(theHud) { + gHud.jsterm.clearOutput() + browser.addEventListener("load", onGoodLoad, true); + content.location = TEST_GOOD_URI; +} + +function onGoodLoad(aEvent) { + browser.removeEventListener("load", onGoodLoad, true); + testForNoWarning(); +} + +function testForWarningMessage() { let aOutputNode = gHud.outputNode; waitForSuccess({ - name: gCurrentTest.name, + name: "SHA1 warning displayed successfully", validatorFn: function() { - if (gHud.outputNode.textContent.indexOf(TRIGGER_MSG) >= 0) { - for (let warning of gCurrentTest.warning) { - if (gHud.outputNode.textContent.indexOf(warning) < 0) { - return false; - } - } - for (let nowarning of gCurrentTest.nowarning) { - if (gHud.outputNode.textContent.indexOf(nowarning) >= 0) { - return false; - } - } - return true; - } + return gHud.outputNode.textContent.indexOf("SHA-1") > -1; }, - successFn: runTestLoop, + successFn: loadGoodDocument, + failureFn: finishTest, + }); +} + +function testForNoWarning() { + let aOutputNode = gHud.outputNode; + + waitForSuccess({ + name: "SHA1 warning appropriately missed", + validatorFn: function() { + if (gHud.outputNode.textContent.indexOf(TRIGGER_MSG) > -1) { + return gHud.outputNode.textContent.indexOf("SHA-1") == -1; + } + }, + successFn: finishTest, failureFn: finishTest, }); } diff --git a/build/pgo/certs/cert8.db b/build/pgo/certs/cert8.db index bfc718af653..9b3b738f0d9 100644 Binary files a/build/pgo/certs/cert8.db and b/build/pgo/certs/cert8.db differ diff --git a/build/pgo/certs/key3.db b/build/pgo/certs/key3.db index bc41b88d88c..809f62c172c 100644 Binary files a/build/pgo/certs/key3.db and b/build/pgo/certs/key3.db differ diff --git a/build/pgo/server-locations.txt b/build/pgo/server-locations.txt index a2f62c7ff7a..bd2eb68d423 100644 --- a/build/pgo/server-locations.txt +++ b/build/pgo/server-locations.txt @@ -233,8 +233,3 @@ https://include-subdomains.pinning.example.com:443 privileged,cer # Hosts for sha1 console warning tests https://sha1ee.example.com:443 privileged,cert=sha1_end_entity https://sha256ee.example.com:443 privileged,cert=sha256_end_entity - -# Hosts for ssl3/rc4 console warning tests -https://ssl3.example.com:443 privileged,ssl3 -https://rc4.example.com:443 privileged,rc4 -https://ssl3rc4.example.com:443 privileged,ssl3,rc4 diff --git a/dom/locales/en-US/chrome/security/security.properties b/dom/locales/en-US/chrome/security/security.properties index 076229c0c71..20918c85e0f 100644 --- a/dom/locales/en-US/chrome/security/security.properties +++ b/dom/locales/en-US/chrome/security/security.properties @@ -19,8 +19,3 @@ LoadingMixedActiveContent=Loading mixed (insecure) active content on a secure pa LoadingMixedDisplayContent=Loading mixed (insecure) display content on a secure page "%1$S" # LOCALIZATION NOTE: Do not translate "allow-scripts", "allow-same-origin", "sandbox" or "iframe" BothAllowScriptsAndSameOriginPresent=An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing. - -# LOCALIZATION NOTE: Do not translate "SSL 3.0". -WeakProtocolVersionWarning=This site uses the protocol SSL 3.0 for encryption, which is deprecated and insecure. -# LOCALIZATION NOTE: Do not translate "RC4". -WeakCipherSuiteWarning=This site uses the cipher RC4 for encryption, which is deprecated and insecure. diff --git a/layout/printing/nsIPrintProgress.idl b/layout/printing/nsIPrintProgress.idl index 2edcd2ef3df..9d6488edbcf 100644 --- a/layout/printing/nsIPrintProgress.idl +++ b/layout/printing/nsIPrintProgress.idl @@ -8,7 +8,7 @@ interface nsIDOMWindow; interface nsIObserver; interface nsIPrompt; -[scriptable, uuid(10b6ec13-09ed-4f7d-9df9-962c0d18306f)] +[scriptable, uuid(594fd36d-5b1b-412f-a74e-ab72099a5bb2)] interface nsIPrintProgress: nsIWebProgressListener { /* Open the progress dialog diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp index 9b63b0169b7..943e9781205 100644 --- a/netwerk/protocol/http/nsHttpChannel.cpp +++ b/netwerk/protocol/http/nsHttpChannel.cpp @@ -48,8 +48,6 @@ #include "nsIScriptSecurityManager.h" #include "nsISSLStatus.h" #include "nsISSLStatusProvider.h" -#include "nsITransportSecurityInfo.h" -#include "nsIWebProgressListener.h" #include "LoadContextInfo.h" #include "netCore.h" #include "nsHttpTransaction.h" @@ -1218,25 +1216,6 @@ nsHttpChannel::ProcessSSLInformation() if (!sslstat) return; - nsCOMPtr securityInfo = - do_QueryInterface(mSecurityInfo); - uint32_t state; - if (securityInfo && - NS_SUCCEEDED(securityInfo->GetSecurityState(&state)) && - (state & nsIWebProgressListener::STATE_IS_BROKEN)) { - // Send weak crypto warnings to the web console - if (state & nsIWebProgressListener::STATE_USES_SSL_3) { - nsString consoleErrorTag = NS_LITERAL_STRING("WeakProtocolVersionWarning"); - nsString consoleErrorCategory = NS_LITERAL_STRING("SSL"); - AddSecurityMessage(consoleErrorTag, consoleErrorCategory); - } - if (state & nsIWebProgressListener::STATE_USES_WEAK_CRYPTO) { - nsString consoleErrorTag = NS_LITERAL_STRING("WeakCipherSuiteWarning"); - nsString consoleErrorCategory = NS_LITERAL_STRING("SSL"); - AddSecurityMessage(consoleErrorTag, consoleErrorCategory); - } - } - // Send (SHA-1) signature algorithm errors to the web console nsCOMPtr cert; sslstat->GetServerCert(getter_AddRefs(cert)); diff --git a/security/manager/ssl/src/nsNSSCallbacks.cpp b/security/manager/ssl/src/nsNSSCallbacks.cpp index 50a09400d75..75b3935b1b3 100644 --- a/security/manager/ssl/src/nsNSSCallbacks.cpp +++ b/security/manager/ssl/src/nsNSSCallbacks.cpp @@ -1172,8 +1172,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) { infoObject->GetPort(), versions.max); - bool usesWeakProtocol = false; - bool usesWeakCipher = false; + bool weakEncryption = false; SSLChannelInfo channelInfo; rv = SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo)); MOZ_ASSERT(rv == SECSuccess); @@ -1192,9 +1191,9 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) { sizeof cipherInfo); MOZ_ASSERT(rv == SECSuccess); if (rv == SECSuccess) { - usesWeakProtocol = - channelInfo.protocolVersion <= SSL_LIBRARY_VERSION_3_0; - usesWeakCipher = cipherInfo.symCipher == ssl_calg_rc4; + weakEncryption = + (channelInfo.protocolVersion <= SSL_LIBRARY_VERSION_3_0) || + (cipherInfo.symCipher == ssl_calg_rc4); // keyExchange null=0, rsa=1, dh=2, fortezza=3, ecdh=4 Telemetry::Accumulate( @@ -1266,23 +1265,15 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) { if (rv != SECSuccess) { siteSupportsSafeRenego = false; } - bool renegotiationUnsafe = !siteSupportsSafeRenego && - ioLayerHelpers.treatUnsafeNegotiationAsBroken(); - uint32_t state; - if (usesWeakProtocol || usesWeakCipher || renegotiationUnsafe) { - state = nsIWebProgressListener::STATE_IS_BROKEN; - if (usesWeakProtocol) { - state |= nsIWebProgressListener::STATE_USES_SSL_3; - } - if (usesWeakCipher) { - state |= nsIWebProgressListener::STATE_USES_WEAK_CRYPTO; - } + if (!weakEncryption && + (siteSupportsSafeRenego || + !ioLayerHelpers.treatUnsafeNegotiationAsBroken())) { + infoObject->SetSecurityState(nsIWebProgressListener::STATE_IS_SECURE | + nsIWebProgressListener::STATE_SECURE_HIGH); } else { - state = nsIWebProgressListener::STATE_IS_SECURE | - nsIWebProgressListener::STATE_SECURE_HIGH; + infoObject->SetSecurityState(nsIWebProgressListener::STATE_IS_BROKEN); } - infoObject->SetSecurityState(state); // XXX Bug 883674: We shouldn't be formatting messages here in PSM; instead, // we should set a flag on the channel that higher (UI) level code can check diff --git a/toolkit/components/downloads/nsIDownload.idl b/toolkit/components/downloads/nsIDownload.idl index f1870c6a270..47eb4878085 100644 --- a/toolkit/components/downloads/nsIDownload.idl +++ b/toolkit/components/downloads/nsIDownload.idl @@ -24,7 +24,7 @@ interface nsIMIMEInfo; * nsIDownloadManager::DOWNLOAD_DIRTY * nsIDownloadManager::DOWNLOAD_BLOCKED_POLICY */ -[scriptable, uuid(59f00997-c2ab-4a8b-901d-ccb761cadddd)] +[scriptable, uuid(2258f465-656e-4566-87cb-f791dbaf0322)] interface nsIDownload : nsITransfer { /** diff --git a/uriloader/base/nsITransfer.idl b/uriloader/base/nsITransfer.idl index 3cf016c88e6..da34d4ac490 100644 --- a/uriloader/base/nsITransfer.idl +++ b/uriloader/base/nsITransfer.idl @@ -11,7 +11,7 @@ interface nsICancelable; interface nsIMIMEInfo; interface nsIFile; -[scriptable, uuid(9b729b43-0d74-4762-bf11-8cb88a88ead3)] +[scriptable, uuid(37ec75d3-97ad-4da8-afaa-eabe5b4afd73)] interface nsITransfer : nsIWebProgressListener2 { /** diff --git a/uriloader/base/nsIWebProgressListener.idl b/uriloader/base/nsIWebProgressListener.idl index b4d2fabb616..6bb6811cd2b 100644 --- a/uriloader/base/nsIWebProgressListener.idl +++ b/uriloader/base/nsIWebProgressListener.idl @@ -17,7 +17,7 @@ interface nsIURI; * nsIWebProgress instances. nsIWebProgress.idl describes the parent-child * relationship of nsIWebProgress instances. */ -[scriptable, uuid(90685740-e180-41f1-8394-441c470d5096)] +[scriptable, uuid(a9df523b-efe2-421e-9d8e-3d7f807dda4c)] interface nsIWebProgressListener : nsISupports { /** @@ -252,20 +252,6 @@ interface nsIWebProgressListener : nsISupports const unsigned long STATE_IDENTITY_EV_TOPLEVEL = 0x00100000; - /** - * Broken state flags - * - * These flags describe the reason of the broken state. - * - * STATE_USES_SSL_3 - * The topmost document uses SSL 3.0. - * - * STATE_USES_WEAK_CRYPTO - * The topmost document uses a weak cipher suite such as RC4. - */ - const unsigned long STATE_USES_SSL_3 = 0x01000000; - const unsigned long STATE_USES_WEAK_CRYPTO = 0x02000000; - /** * Notification indicating the state has changed for one of the requests * associated with aWebProgress. diff --git a/uriloader/base/nsIWebProgressListener2.idl b/uriloader/base/nsIWebProgressListener2.idl index a2b5c66da86..87701f8d2cf 100644 --- a/uriloader/base/nsIWebProgressListener2.idl +++ b/uriloader/base/nsIWebProgressListener2.idl @@ -7,7 +7,7 @@ /** * An extended version of nsIWebProgressListener. */ -[scriptable, uuid(19e9d920-c67e-406c-aeea-77ac5a5c908d)] +[scriptable, uuid(dde39de0-e4e0-11da-8ad9-0800200c9a66)] interface nsIWebProgressListener2 : nsIWebProgressListener { /** * Notification that the progress has changed for one of the requests