Bug 1250568 - Adding TLS 1.3 to nsISSLStatus, r=keeler
MozReview-Commit-ID: 4mLdtsdFoKN
--- a/browser/base/content/pageinfo/security.js
+++ b/browser/base/content/pageinfo/security.js
@@ -85,16 +85,19 @@ var security = {
retval.version = "TLS 1.0";
break;
case nsISSLStatus.TLS_VERSION_1_1:
retval.version = "TLS 1.1";
break;
case nsISSLStatus.TLS_VERSION_1_2:
retval.version = "TLS 1.2"
break;
+ case nsISSLStatus.TLS_VERSION_1_3:
+ retval.version = "TLS 1.3"
+ break;
}
return retval;
} else {
return {
hostName : hostName,
cAName : "",
encryptionAlgorithm : "",
--- a/devtools/shared/security/socket.js
+++ b/devtools/shared/security/socket.js
@@ -670,17 +670,17 @@ ServerSocketConnection.prototype = {
/*
* TODO: These rules should be really be set on the TLS socket directly, but
* this would need more platform work to expose it via XPCOM.
*
* Enforcing cipher suites here would be a bad idea, as we want TLS
* cipher negotiation to work correctly. The server already allows only
* Gecko's normal set of cipher suites.
*/
- if (clientStatus.tlsVersionUsed != Ci.nsITLSClientStatus.TLS_VERSION_1_2) {
+ if (clientStatus.tlsVersionUsed < Ci.nsITLSClientStatus.TLS_VERSION_1_2) {
this._handshakeDeferred.reject(Cr.NS_ERROR_CONNECTION_REFUSED);
return;
}
this._handshakeDeferred.resolve();
},
_authenticate: Task.async(function*() {
--- a/devtools/shared/webconsole/network-helper.js
+++ b/devtools/shared/webconsole/network-helper.js
@@ -521,17 +521,17 @@ var NetworkHelper = {
* * "insecure": the connection was not secure (only http)
* * "weak": the connection has minor security issues
* * "broken": secure connection failed (e.g. expired cert)
* * "secure": the connection was properly secured.
* If state == broken:
* - errorMessage: full error message from
* nsITransportSecurityInfo.
* If state == secure:
- * - protocolVersion: one of TLSv1, TLSv1.1, TLSv1.2.
+ * - protocolVersion: one of TLSv1, TLSv1.1, TLSv1.2, TLSv1.3.
* - cipherSuite: the cipher suite used in this connection.
* - cert: information about certificate used in this connection.
* See parseCertificateInfo for the contents.
* - hsts: true if host uses Strict Transport Security,
* false otherwise
* - hpkp: true if host uses Public Key Pinning, false otherwise
* If state == weak: Same as state == secure and
* - weaknessReasons: list of reasons that cause the request to be
@@ -705,27 +705,29 @@ var NetworkHelper = {
/**
* Takes protocolVersion of SSLStatus object and returns human readable
* description.
*
* @param Number version
* One of nsISSLStatus version constants.
* @return string
- * One of TLSv1, TLSv1.1, TLSv1.2 if @param version is valid,
- * Unknown otherwise.
+ * One of TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 if @param version
+ * is valid, Unknown otherwise.
*/
formatSecurityProtocol: function (version) {
switch (version) {
case Ci.nsISSLStatus.TLS_VERSION_1:
return "TLSv1";
case Ci.nsISSLStatus.TLS_VERSION_1_1:
return "TLSv1.1";
case Ci.nsISSLStatus.TLS_VERSION_1_2:
return "TLSv1.2";
+ case Ci.nsISSLStatus.TLS_VERSION_1_3:
+ return "TLSv1.3";
default:
DevToolsUtils.reportException("NetworkHelper.formatSecurityProtocol",
"protocolVersion " + version + " is unknown.");
return "Unknown";
}
},
/**
--- a/devtools/shared/webconsole/test/unit/test_security-info-protocol-version.js
+++ b/devtools/shared/webconsole/test/unit/test_security-info-protocol-version.js
@@ -27,16 +27,20 @@ const TEST_CASES = [
description: "TLS_VERSION_1.1",
input: 2,
expected: "TLSv1.1"
}, {
description: "TLS_VERSION_1.2",
input: 3,
expected: "TLSv1.2"
}, {
+ description: "TLS_VERSION_1.3",
+ input: 4,
+ expected: "TLSv1.3"
+ }, {
description: "invalid version",
input: -1,
expected: "Unknown"
},
];
function run_test() {
do_print("Testing NetworkHelper.formatSecurityProtocol.");
--- a/netwerk/base/nsITLSServerSocket.idl
+++ b/netwerk/base/nsITLSServerSocket.idl
@@ -95,16 +95,17 @@ interface nsITLSClientStatus : nsISuppor
/**
* Values for tlsVersionUsed, as defined by TLS
*/
const short SSL_VERSION_3 = 0x0300;
const short TLS_VERSION_1 = 0x0301;
const short TLS_VERSION_1_1 = 0x0302;
const short TLS_VERSION_1_2 = 0x0303;
+ const short TLS_VERSION_1_3 = 0x0304;
const short TLS_VERSION_UNKNOWN = -1;
/**
* tlsVersionUsed
*
* The version of TLS used by the connection. See values above.
*/
readonly attribute short tlsVersionUsed;
--- a/netwerk/socket/nsISSLSocketControl.idl
+++ b/netwerk/socket/nsISSLSocketControl.idl
@@ -78,16 +78,17 @@ interface nsISSLSocketControl : nsISuppo
*/
readonly attribute uint32_t providerFlags;
/* These values are defined by TLS. */
const short SSL_VERSION_3 = 0x0300;
const short TLS_VERSION_1 = 0x0301;
const short TLS_VERSION_1_1 = 0x0302;
const short TLS_VERSION_1_2 = 0x0303;
+ const short TLS_VERSION_1_3 = 0x0304;
const short SSL_VERSION_UNKNOWN = -1;
[infallible] readonly attribute short SSLVersionUsed;
[infallible] readonly attribute short SSLVersionOffered;
/* These values match the NSS defined values in sslt.h */
const short SSL_MAC_UNKNOWN = -1;
const short SSL_MAC_NULL = 0;
--- a/security/manager/ssl/nsISSLStatus.idl
+++ b/security/manager/ssl/nsISSLStatus.idl
@@ -15,16 +15,17 @@ interface nsISSLStatus : nsISupports {
readonly attribute ACString cipherName;
readonly attribute unsigned long keyLength;
readonly attribute unsigned long secretKeyLength;
const short SSL_VERSION_3 = 0;
const short TLS_VERSION_1 = 1;
const short TLS_VERSION_1_1 = 2;
const short TLS_VERSION_1_2 = 3;
+ const short TLS_VERSION_1_3 = 4;
readonly attribute unsigned short protocolVersion;
readonly attribute boolean isDomainMismatch;
readonly attribute boolean isNotValidAtThisTime;
/* Note: To distinguish between
* "unstrusted because missing or untrusted issuer"
* and