diff options
author | wolfbeast <mcwerewolf@gmail.com> | 2018-09-01 23:45:10 +0200 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-09-01 23:45:10 +0200 |
commit | 1425f020c47b3cbe134f71717299714aead28502 (patch) | |
tree | 47c50413b1bb972617454b100f60c10a4516ca36 | |
parent | 69627ad410935edf4a74a4d4678105d51a662263 (diff) | |
download | uxp-1425f020c47b3cbe134f71717299714aead28502.tar.gz |
Remove support for TLS session caches in TLSServerSocket.
This resolves #738
-rw-r--r-- | devtools/shared/security/socket.js | 1 | ||||
-rw-r--r-- | dom/presentation/provider/PresentationControlService.js | 1 | ||||
-rw-r--r-- | netwerk/base/TLSServerSocket.cpp | 16 | ||||
-rw-r--r-- | netwerk/base/nsITLSServerSocket.idl | 9 | ||||
-rw-r--r-- | netwerk/test/unit/test_be_conservative.js | 1 | ||||
-rw-r--r-- | netwerk/test/unit/test_tls_server.js | 1 | ||||
-rw-r--r-- | netwerk/test/unit/test_tls_server_multiple_clients.js | 1 | ||||
-rw-r--r-- | security/manager/ssl/nsNSSComponent.cpp | 14 | ||||
-rw-r--r-- | security/manager/ssl/tests/unit/test_weak_crypto.js | 1 | ||||
-rw-r--r-- | xpcom/build/XPCOMInit.cpp | 13 |
10 files changed, 15 insertions, 43 deletions
diff --git a/devtools/shared/security/socket.js b/devtools/shared/security/socket.js index 068a8ea81f..9c6f5750a4 100644 --- a/devtools/shared/security/socket.js +++ b/devtools/shared/security/socket.js @@ -480,7 +480,6 @@ SocketListener.prototype = { _setAdditionalSocketOptions: Task.async(function* () { if (this.encryption) { this._socket.serverCert = yield cert.local.getOrCreate(); - this._socket.setSessionCache(false); this._socket.setSessionTickets(false); let requestCert = Ci.nsITLSServerSocket.REQUEST_NEVER; this._socket.setRequestClientCertificate(requestCert); diff --git a/dom/presentation/provider/PresentationControlService.js b/dom/presentation/provider/PresentationControlService.js index fe61d26d65..e9f92247f4 100644 --- a/dom/presentation/provider/PresentationControlService.js +++ b/dom/presentation/provider/PresentationControlService.js @@ -100,7 +100,6 @@ PresentationControlService.prototype = { if (aCert) { this._serverSocket.serverCert = aCert; - this._serverSocket.setSessionCache(false); this._serverSocket.setSessionTickets(false); let requestCert = Ci.nsITLSServerSocket.REQUEST_NEVER; this._serverSocket.setRequestClientCertificate(requestCert); diff --git a/netwerk/base/TLSServerSocket.cpp b/netwerk/base/TLSServerSocket.cpp index 257a7f5da5..97c7f54231 100644 --- a/netwerk/base/TLSServerSocket.cpp +++ b/netwerk/base/TLSServerSocket.cpp @@ -52,12 +52,12 @@ TLSServerSocket::SetSocketDefaults() SSL_OptionSet(mFD, SSL_SECURITY, true); SSL_OptionSet(mFD, SSL_HANDSHAKE_AS_CLIENT, false); SSL_OptionSet(mFD, SSL_HANDSHAKE_AS_SERVER, true); - + SSL_OptionSet(mFD, SSL_NO_CACHE, true); + // We don't currently notify the server API consumer of renegotiation events // (to revalidate peer certs, etc.), so disable it for now. SSL_OptionSet(mFD, SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_NEVER); - SetSessionCache(true); SetSessionTickets(true); SetRequestClientCertificate(REQUEST_NEVER); @@ -172,18 +172,6 @@ TLSServerSocket::SetServerCert(nsIX509Cert* aCert) } NS_IMETHODIMP -TLSServerSocket::SetSessionCache(bool aEnabled) -{ - // If AsyncListen was already called (and set mListener), it's too late to set - // this. - if (NS_WARN_IF(mListener)) { - return NS_ERROR_IN_PROGRESS; - } - SSL_OptionSet(mFD, SSL_NO_CACHE, !aEnabled); - return NS_OK; -} - -NS_IMETHODIMP TLSServerSocket::SetSessionTickets(bool aEnabled) { // If AsyncListen was already called (and set mListener), it's too late to set diff --git a/netwerk/base/nsITLSServerSocket.idl b/netwerk/base/nsITLSServerSocket.idl index 57485357f5..dce54ffe74 100644 --- a/netwerk/base/nsITLSServerSocket.idl +++ b/netwerk/base/nsITLSServerSocket.idl @@ -20,15 +20,6 @@ interface nsITLSServerSocket : nsIServerSocket attribute nsIX509Cert serverCert; /** - * setSessionCache - * - * Whether the server should use a session cache. Defaults to true. This - * should be set before calling |asyncListen| if you wish to change the - * default. - */ - void setSessionCache(in boolean aSessionCache); - - /** * setSessionTickets * * Whether the server should support session tickets. Defaults to true. This diff --git a/netwerk/test/unit/test_be_conservative.js b/netwerk/test/unit/test_be_conservative.js index 2c6ac46ad5..36b6d3b90f 100644 --- a/netwerk/test/unit/test_be_conservative.js +++ b/netwerk/test/unit/test_be_conservative.js @@ -140,7 +140,6 @@ function startServer(cert, minServerVersion, maxServerVersion) { tlsServer.init(-1, true, -1); tlsServer.serverCert = cert; tlsServer.setVersionRange(minServerVersion, maxServerVersion); - tlsServer.setSessionCache(false); tlsServer.setSessionTickets(false); tlsServer.asyncListen(new ServerSocketListener()); return tlsServer; diff --git a/netwerk/test/unit/test_tls_server.js b/netwerk/test/unit/test_tls_server.js index d805359c7b..12154a27fe 100644 --- a/netwerk/test/unit/test_tls_server.js +++ b/netwerk/test/unit/test_tls_server.js @@ -90,7 +90,6 @@ function startServer(cert, expectingPeerCert, clientCertificateConfig, onStopListening: function() {} }; - tlsServer.setSessionCache(false); tlsServer.setSessionTickets(false); tlsServer.setRequestClientCertificate(clientCertificateConfig); diff --git a/netwerk/test/unit/test_tls_server_multiple_clients.js b/netwerk/test/unit/test_tls_server_multiple_clients.js index b63c0189bd..74b814e9cf 100644 --- a/netwerk/test/unit/test_tls_server_multiple_clients.js +++ b/netwerk/test/unit/test_tls_server_multiple_clients.js @@ -67,7 +67,6 @@ function startServer(cert) { onStopListening: function() {} }; - tlsServer.setSessionCache(true); tlsServer.setSessionTickets(false); tlsServer.asyncListen(listener); diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index 71043a0e71..14b1312de7 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -1938,20 +1938,6 @@ nsNSSComponent::InitializeNSS() return NS_ERROR_FAILURE; } - // TLSServerSocket may be run with the session cache enabled. It is necessary - // to call this once before that can happen. This specifies a maximum of 1000 - // cache entries (the default number of cache entries is 10000, which seems a - // little excessive as there probably won't be that many clients connecting to - // any TLSServerSockets the browser runs.) - // Note that this must occur before any calls to SSL_ClearSessionCache - // (otherwise memory will leak). - if (SSL_ConfigServerSessionIDCache(1000, 0, 0, nullptr) != SECSuccess) { -#ifdef ANDROID - MOZ_RELEASE_ASSERT(false); -#endif - return NS_ERROR_FAILURE; - } - // ensure the CertBlocklist is initialised nsCOMPtr<nsICertBlocklist> certList = do_GetService(NS_CERTBLOCKLIST_CONTRACTID); #ifdef ANDROID diff --git a/security/manager/ssl/tests/unit/test_weak_crypto.js b/security/manager/ssl/tests/unit/test_weak_crypto.js index effedf8e3a..3367e90677 100644 --- a/security/manager/ssl/tests/unit/test_weak_crypto.js +++ b/security/manager/ssl/tests/unit/test_weak_crypto.js @@ -77,7 +77,6 @@ function startServer(cert, rc4only) { onStopListening: function() {} }; - tlsServer.setSessionCache(false); tlsServer.setSessionTickets(false); tlsServer.setRequestClientCertificate(Ci.nsITLSServerSocket.REQUEST_NEVER); if (rc4only) { diff --git a/xpcom/build/XPCOMInit.cpp b/xpcom/build/XPCOMInit.cpp index e8ee5828a4..b89f51a98a 100644 --- a/xpcom/build/XPCOMInit.cpp +++ b/xpcom/build/XPCOMInit.cpp @@ -123,6 +123,8 @@ extern nsresult nsStringInputStreamConstructor(nsISupports*, REFNSIID, void**); #include "nsMemoryInfoDumper.h" #include "nsSecurityConsoleMessage.h" #include "nsMessageLoop.h" +#include "nss.h" +#include "ssl.h" #include "nsStatusReporterManager.h" @@ -1043,6 +1045,17 @@ ShutdownXPCOM(nsIServiceManager* aServMgr) sInitializedJS = false; } + // At this point all networking threads should have been joined and the + // component manager is shut down. Any remaining objects that hold NSS + // resources (should!) have been released, so we can safely shut down NSS. + if (NSS_IsInitialized()) { + SSL_ClearSessionCache(); + // XXX: It would be nice if we can enforce this shutdown. + if (NSS_Shutdown() != SECSuccess) { + NS_WARNING("NSS Shutdown failed - some resources are still in use"); + } + } + // Release our own singletons // Do this _after_ shutting down the component manager, because the // JS component loader will use XPConnect to call nsIModule::canUnload, |