Bug 1223131 - Don't remove a host from the whitelist if the version fallback was needed. r=keeler

2024-09-13 09:24:08 -07:00 · 2015-11-12 07:18:37 +09:00 · 2015-11-12 07:18:37 +09:00 · e178ef3a87
commit e178ef3a87
parent 9fd7a4a9fa
2 changed files with 8 additions and 3 deletions
--- a/config/external/nss/nss.def
+++ b/config/external/nss/nss.def
@ -668,6 +668,7 @@ SSL_SetStapledOCSPResponses
 SSL_SetURL
 SSL_SNISocketConfigHook
 SSL_VersionRangeGet
+SSL_VersionRangeGetDefault
 SSL_VersionRangeGetSupported
 SSL_VersionRangeSet
 SSL_VersionRangeSetDefault
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@ -1245,9 +1245,13 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
  } else {
    state = nsIWebProgressListener::STATE_IS_SECURE |
            nsIWebProgressListener::STATE_SECURE_HIGH;
-    // we know this site no longer requires a weak cipher
-    ioLayerHelpers.removeInsecureFallbackSite(infoObject->GetHostName(),
-                                              infoObject->GetPort());
+    SSLVersionRange defVersion;
+    rv = SSL_VersionRangeGetDefault(ssl_variant_stream, &defVersion);
+    if (rv == SECSuccess && versions.max >= defVersion.max) {
+      // we know this site no longer requires a weak cipher
+      ioLayerHelpers.removeInsecureFallbackSite(infoObject->GetHostName(),
+                                                infoObject->GetPort());
+    }
  }
  infoObject->SetSecurityState(state);