From 50d0e8393ecc61f8e891367f88947228409352a1 Mon Sep 17 00:00:00 2001 From: Masatoshi Kimura Date: Sat, 21 Feb 2015 17:20:22 +0900 Subject: [PATCH] Bug 1127339 - Detect SSLv3-only server in PSM. r=keeler --- security/manager/ssl/src/nsNSSIOLayer.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/security/manager/ssl/src/nsNSSIOLayer.cpp b/security/manager/ssl/src/nsNSSIOLayer.cpp index 01a9d8aa50f..9b6c9264178 100644 --- a/security/manager/ssl/src/nsNSSIOLayer.cpp +++ b/security/manager/ssl/src/nsNSSIOLayer.cpp @@ -1209,6 +1209,12 @@ retryDueToTLSIntolerance(PRErrorCode err, nsNSSSocketInfo* socketInfo) SSLVersionRange range = socketInfo->GetTLSVersionRange(); nsSSLIOLayerHelpers& helpers = socketInfo->SharedState().IOLayerHelpers(); + if (err == SSL_ERROR_UNSUPPORTED_VERSION && + range.min == SSL_LIBRARY_VERSION_TLS_1_0) { + socketInfo->SetSecurityState(nsIWebProgressListener::STATE_IS_INSECURE | + nsIWebProgressListener::STATE_USES_SSL_3); + } + if (err == SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT) { // This is a clear signal that we've fallen back too many versions. Treat // this as a hard failure, but forget any intolerance so that later attempts