mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 901718: Remove TLS intolerance fallback from TLS 1.0 to SSL 3.0 for connection resets, r=honzab
--HG-- extra : rebase_source : 304e73126b66ae2e1a9fa6ae4c0cc3fa803aaac0
This commit is contained in:
parent
00fb081b00
commit
756bf5d8e7
@ -919,8 +919,9 @@ retryDueToTLSIntolerance(PRErrorCode err, nsNSSSocketInfo* socketInfo)
|
|||||||
// be used to conclude server is TLS intolerant.
|
// be used to conclude server is TLS intolerant.
|
||||||
// Note this only happens during the initial SSL handshake.
|
// Note this only happens during the initial SSL handshake.
|
||||||
|
|
||||||
uint32_t reason;
|
SSLVersionRange range = socketInfo->GetTLSVersionRange();
|
||||||
|
|
||||||
|
uint32_t reason;
|
||||||
switch (err)
|
switch (err)
|
||||||
{
|
{
|
||||||
case SSL_ERROR_BAD_MAC_ALERT: reason = 1; break;
|
case SSL_ERROR_BAD_MAC_ALERT: reason = 1; break;
|
||||||
@ -948,9 +949,13 @@ retryDueToTLSIntolerance(PRErrorCode err, nsNSSSocketInfo* socketInfo)
|
|||||||
// to retry without TLS.
|
// to retry without TLS.
|
||||||
|
|
||||||
// Don't allow STARTTLS connections to fall back on connection resets or
|
// Don't allow STARTTLS connections to fall back on connection resets or
|
||||||
// EOF.
|
// EOF. Also, don't fall back from TLS 1.0 to SSL 3.0 on connection,
|
||||||
|
// because connection resets and EOF have too many false positives,
|
||||||
|
// and we want to maximize how often we send TLS 1.0+ with extensions
|
||||||
|
// if at all reasonable.
|
||||||
conditional:
|
conditional:
|
||||||
if (socketInfo->GetHasCleartextPhase()) {
|
if (range.max <= SSL_LIBRARY_VERSION_TLS_1_0 ||
|
||||||
|
socketInfo->GetHasCleartextPhase()) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
@ -961,7 +966,6 @@ retryDueToTLSIntolerance(PRErrorCode err, nsNSSSocketInfo* socketInfo)
|
|||||||
|
|
||||||
Telemetry::ID pre;
|
Telemetry::ID pre;
|
||||||
Telemetry::ID post;
|
Telemetry::ID post;
|
||||||
SSLVersionRange range = socketInfo->GetTLSVersionRange();
|
|
||||||
switch (range.max) {
|
switch (range.max) {
|
||||||
case SSL_LIBRARY_VERSION_TLS_1_2:
|
case SSL_LIBRARY_VERSION_TLS_1_2:
|
||||||
pre = Telemetry::SSL_TLS12_INTOLERANCE_REASON_PRE;
|
pre = Telemetry::SSL_TLS12_INTOLERANCE_REASON_PRE;
|
||||||
|
Loading…
Reference in New Issue
Block a user