summaryrefslogtreecommitdiffstats
path: root/security/manager
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-09-29 10:09:13 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-09-29 10:09:13 +0200
commit347aea437facd5324b3d8d27c587d8054e9b8b9a (patch)
tree7e81656789bfa06495ad8ffb1b42fdc27832ba47 /security/manager
parent77af3f17663fd8fada8e0d368d92bef845fcf48e (diff)
downloadUXP-347aea437facd5324b3d8d27c587d8054e9b8b9a.tar
UXP-347aea437facd5324b3d8d27c587d8054e9b8b9a.tar.gz
UXP-347aea437facd5324b3d8d27c587d8054e9b8b9a.tar.lz
UXP-347aea437facd5324b3d8d27c587d8054e9b8b9a.tar.xz
UXP-347aea437facd5324b3d8d27c587d8054e9b8b9a.zip
Get rid of the incorrect mechanism to remove insecure fallback hosts.
This fixes #797.
Diffstat (limited to 'security/manager')
-rw-r--r--security/manager/ssl/nsNSSCallbacks.cpp12
1 files changed, 0 insertions, 12 deletions
diff --git a/security/manager/ssl/nsNSSCallbacks.cpp b/security/manager/ssl/nsNSSCallbacks.cpp
index 6bac59f51..daabca591 100644
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -1277,7 +1277,6 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
infoObject->GetPort(),
versions.max);
- bool usesFallbackCipher = false;
SSLChannelInfo channelInfo;
rv = SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo));
MOZ_ASSERT(rv == SECSuccess);
@@ -1296,8 +1295,6 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
sizeof cipherInfo);
MOZ_ASSERT(rv == SECSuccess);
if (rv == SECSuccess) {
- usesFallbackCipher = channelInfo.keaType == ssl_kea_dh;
-
MOZ_ASSERT(infoObject->GetKEAUsed() == channelInfo.keaType);
if (infoObject->IsFullHandshake()) {
@@ -1372,15 +1369,6 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
} else {
state = nsIWebProgressListener::STATE_IS_SECURE |
nsIWebProgressListener::STATE_SECURE_HIGH;
- if (!usesFallbackCipher) {
- SSLVersionRange defVersion;
- rv = SSL_VersionRangeGetDefault(ssl_variant_stream, &defVersion);
- if (rv == SECSuccess && versions.max >= defVersion.max) {
- // we know this site no longer requires a fallback cipher
- ioLayerHelpers.removeInsecureFallbackSite(infoObject->GetHostName(),
- infoObject->GetPort());
- }
- }
}
if (status->HasServerCert()) {