summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-09-01 23:45:10 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-09-01 23:45:10 +0200
commit1425f020c47b3cbe134f71717299714aead28502 (patch)
tree47c50413b1bb972617454b100f60c10a4516ca36
parent69627ad410935edf4a74a4d4678105d51a662263 (diff)
downloaduxp-1425f020c47b3cbe134f71717299714aead28502.tar.gz
Remove support for TLS session caches in TLSServerSocket.
This resolves #738
-rw-r--r--devtools/shared/security/socket.js1
-rw-r--r--dom/presentation/provider/PresentationControlService.js1
-rw-r--r--netwerk/base/TLSServerSocket.cpp16
-rw-r--r--netwerk/base/nsITLSServerSocket.idl9
-rw-r--r--netwerk/test/unit/test_be_conservative.js1
-rw-r--r--netwerk/test/unit/test_tls_server.js1
-rw-r--r--netwerk/test/unit/test_tls_server_multiple_clients.js1
-rw-r--r--security/manager/ssl/nsNSSComponent.cpp14
-rw-r--r--security/manager/ssl/tests/unit/test_weak_crypto.js1
-rw-r--r--xpcom/build/XPCOMInit.cpp13
10 files changed, 15 insertions, 43 deletions
diff --git a/devtools/shared/security/socket.js b/devtools/shared/security/socket.js
index 068a8ea81f..9c6f5750a4 100644
--- a/devtools/shared/security/socket.js
+++ b/devtools/shared/security/socket.js
@@ -480,7 +480,6 @@ SocketListener.prototype = {
_setAdditionalSocketOptions: Task.async(function* () {
if (this.encryption) {
this._socket.serverCert = yield cert.local.getOrCreate();
- this._socket.setSessionCache(false);
this._socket.setSessionTickets(false);
let requestCert = Ci.nsITLSServerSocket.REQUEST_NEVER;
this._socket.setRequestClientCertificate(requestCert);
diff --git a/dom/presentation/provider/PresentationControlService.js b/dom/presentation/provider/PresentationControlService.js
index fe61d26d65..e9f92247f4 100644
--- a/dom/presentation/provider/PresentationControlService.js
+++ b/dom/presentation/provider/PresentationControlService.js
@@ -100,7 +100,6 @@ PresentationControlService.prototype = {
if (aCert) {
this._serverSocket.serverCert = aCert;
- this._serverSocket.setSessionCache(false);
this._serverSocket.setSessionTickets(false);
let requestCert = Ci.nsITLSServerSocket.REQUEST_NEVER;
this._serverSocket.setRequestClientCertificate(requestCert);
diff --git a/netwerk/base/TLSServerSocket.cpp b/netwerk/base/TLSServerSocket.cpp
index 257a7f5da5..97c7f54231 100644
--- a/netwerk/base/TLSServerSocket.cpp
+++ b/netwerk/base/TLSServerSocket.cpp
@@ -52,12 +52,12 @@ TLSServerSocket::SetSocketDefaults()
SSL_OptionSet(mFD, SSL_SECURITY, true);
SSL_OptionSet(mFD, SSL_HANDSHAKE_AS_CLIENT, false);
SSL_OptionSet(mFD, SSL_HANDSHAKE_AS_SERVER, true);
-
+ SSL_OptionSet(mFD, SSL_NO_CACHE, true);
+
// We don't currently notify the server API consumer of renegotiation events
// (to revalidate peer certs, etc.), so disable it for now.
SSL_OptionSet(mFD, SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_NEVER);
- SetSessionCache(true);
SetSessionTickets(true);
SetRequestClientCertificate(REQUEST_NEVER);
@@ -172,18 +172,6 @@ TLSServerSocket::SetServerCert(nsIX509Cert* aCert)
}
NS_IMETHODIMP
-TLSServerSocket::SetSessionCache(bool aEnabled)
-{
- // If AsyncListen was already called (and set mListener), it's too late to set
- // this.
- if (NS_WARN_IF(mListener)) {
- return NS_ERROR_IN_PROGRESS;
- }
- SSL_OptionSet(mFD, SSL_NO_CACHE, !aEnabled);
- return NS_OK;
-}
-
-NS_IMETHODIMP
TLSServerSocket::SetSessionTickets(bool aEnabled)
{
// If AsyncListen was already called (and set mListener), it's too late to set
diff --git a/netwerk/base/nsITLSServerSocket.idl b/netwerk/base/nsITLSServerSocket.idl
index 57485357f5..dce54ffe74 100644
--- a/netwerk/base/nsITLSServerSocket.idl
+++ b/netwerk/base/nsITLSServerSocket.idl
@@ -20,15 +20,6 @@ interface nsITLSServerSocket : nsIServerSocket
attribute nsIX509Cert serverCert;
/**
- * setSessionCache
- *
- * Whether the server should use a session cache. Defaults to true. This
- * should be set before calling |asyncListen| if you wish to change the
- * default.
- */
- void setSessionCache(in boolean aSessionCache);
-
- /**
* setSessionTickets
*
* Whether the server should support session tickets. Defaults to true. This
diff --git a/netwerk/test/unit/test_be_conservative.js b/netwerk/test/unit/test_be_conservative.js
index 2c6ac46ad5..36b6d3b90f 100644
--- a/netwerk/test/unit/test_be_conservative.js
+++ b/netwerk/test/unit/test_be_conservative.js
@@ -140,7 +140,6 @@ function startServer(cert, minServerVersion, maxServerVersion) {
tlsServer.init(-1, true, -1);
tlsServer.serverCert = cert;
tlsServer.setVersionRange(minServerVersion, maxServerVersion);
- tlsServer.setSessionCache(false);
tlsServer.setSessionTickets(false);
tlsServer.asyncListen(new ServerSocketListener());
return tlsServer;
diff --git a/netwerk/test/unit/test_tls_server.js b/netwerk/test/unit/test_tls_server.js
index d805359c7b..12154a27fe 100644
--- a/netwerk/test/unit/test_tls_server.js
+++ b/netwerk/test/unit/test_tls_server.js
@@ -90,7 +90,6 @@ function startServer(cert, expectingPeerCert, clientCertificateConfig,
onStopListening: function() {}
};
- tlsServer.setSessionCache(false);
tlsServer.setSessionTickets(false);
tlsServer.setRequestClientCertificate(clientCertificateConfig);
diff --git a/netwerk/test/unit/test_tls_server_multiple_clients.js b/netwerk/test/unit/test_tls_server_multiple_clients.js
index b63c0189bd..74b814e9cf 100644
--- a/netwerk/test/unit/test_tls_server_multiple_clients.js
+++ b/netwerk/test/unit/test_tls_server_multiple_clients.js
@@ -67,7 +67,6 @@ function startServer(cert) {
onStopListening: function() {}
};
- tlsServer.setSessionCache(true);
tlsServer.setSessionTickets(false);
tlsServer.asyncListen(listener);
diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp
index 71043a0e71..14b1312de7 100644
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -1938,20 +1938,6 @@ nsNSSComponent::InitializeNSS()
return NS_ERROR_FAILURE;
}
- // TLSServerSocket may be run with the session cache enabled. It is necessary
- // to call this once before that can happen. This specifies a maximum of 1000
- // cache entries (the default number of cache entries is 10000, which seems a
- // little excessive as there probably won't be that many clients connecting to
- // any TLSServerSockets the browser runs.)
- // Note that this must occur before any calls to SSL_ClearSessionCache
- // (otherwise memory will leak).
- if (SSL_ConfigServerSessionIDCache(1000, 0, 0, nullptr) != SECSuccess) {
-#ifdef ANDROID
- MOZ_RELEASE_ASSERT(false);
-#endif
- return NS_ERROR_FAILURE;
- }
-
// ensure the CertBlocklist is initialised
nsCOMPtr<nsICertBlocklist> certList = do_GetService(NS_CERTBLOCKLIST_CONTRACTID);
#ifdef ANDROID
diff --git a/security/manager/ssl/tests/unit/test_weak_crypto.js b/security/manager/ssl/tests/unit/test_weak_crypto.js
index effedf8e3a..3367e90677 100644
--- a/security/manager/ssl/tests/unit/test_weak_crypto.js
+++ b/security/manager/ssl/tests/unit/test_weak_crypto.js
@@ -77,7 +77,6 @@ function startServer(cert, rc4only) {
onStopListening: function() {}
};
- tlsServer.setSessionCache(false);
tlsServer.setSessionTickets(false);
tlsServer.setRequestClientCertificate(Ci.nsITLSServerSocket.REQUEST_NEVER);
if (rc4only) {
diff --git a/xpcom/build/XPCOMInit.cpp b/xpcom/build/XPCOMInit.cpp
index e8ee5828a4..b89f51a98a 100644
--- a/xpcom/build/XPCOMInit.cpp
+++ b/xpcom/build/XPCOMInit.cpp
@@ -123,6 +123,8 @@ extern nsresult nsStringInputStreamConstructor(nsISupports*, REFNSIID, void**);
#include "nsMemoryInfoDumper.h"
#include "nsSecurityConsoleMessage.h"
#include "nsMessageLoop.h"
+#include "nss.h"
+#include "ssl.h"
#include "nsStatusReporterManager.h"
@@ -1043,6 +1045,17 @@ ShutdownXPCOM(nsIServiceManager* aServMgr)
sInitializedJS = false;
}
+ // At this point all networking threads should have been joined and the
+ // component manager is shut down. Any remaining objects that hold NSS
+ // resources (should!) have been released, so we can safely shut down NSS.
+ if (NSS_IsInitialized()) {
+ SSL_ClearSessionCache();
+ // XXX: It would be nice if we can enforce this shutdown.
+ if (NSS_Shutdown() != SECSuccess) {
+ NS_WARNING("NSS Shutdown failed - some resources are still in use");
+ }
+ }
+
// Release our own singletons
// Do this _after_ shutting down the component manager, because the
// JS component loader will use XPConnect to call nsIModule::canUnload,