Bug 1250582 - Remove SSL_FALLBACK_LIMIT_REACHED telemetry. r?keeler
Bug 1084025 added this telemetry to measure the impact of bumping the fallback limit.
But we already bumped the fallback limit to TLS 1.2 long before. We will not need this kind of telemetry until we bump the fallback limit to TLS 1.3 that will not happen in the near future. So let's just remove wasting resource for now.
MozReview-Commit-ID: 22o8FirlYql
--- a/security/manager/ssl/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/nsNSSIOLayer.cpp
@@ -688,42 +688,38 @@ nsSSLIOLayerHelpers::rememberTolerantAtV
entry.strongCipherStatus = StrongCiphersWorked;
}
entry.AssertInvariant();
mTLSIntoleranceInfo.Put(key, entry);
}
-uint16_t
+void
nsSSLIOLayerHelpers::forgetIntolerance(const nsACString& hostName,
int16_t port)
{
nsCString key;
getSiteKey(hostName, port, key);
MutexAutoLock lock(mutex);
- uint16_t tolerant = 0;
IntoleranceEntry entry;
if (mTLSIntoleranceInfo.Get(key, &entry)) {
entry.AssertInvariant();
- tolerant = entry.tolerant;
entry.intolerant = 0;
entry.intoleranceReason = 0;
if (entry.strongCipherStatus != StrongCiphersWorked) {
entry.strongCipherStatus = StrongCipherStatusUnknown;
}
entry.AssertInvariant();
mTLSIntoleranceInfo.Put(key, entry);
}
-
- return tolerant;
}
bool
nsSSLIOLayerHelpers::fallbackLimitReached(const nsACString& hostName,
uint16_t intolerant)
{
if (isInsecureFallbackSite(hostName)) {
return intolerant <= SSL_LIBRARY_VERSION_TLS_1_0;
@@ -736,59 +732,17 @@ bool
nsSSLIOLayerHelpers::rememberIntolerantAtVersion(const nsACString& hostName,
int16_t port,
uint16_t minVersion,
uint16_t intolerant,
PRErrorCode intoleranceReason)
{
if (intolerant <= minVersion || fallbackLimitReached(hostName, intolerant)) {
// We can't fall back any further. Assume that intolerance isn't the issue.
- uint32_t tolerant = forgetIntolerance(hostName, port);
- // If we know the server is tolerant at the version, we don't have to
- // gather the telemetry.
- if (intolerant <= tolerant) {
- return false;
- }
-
- // This telemetry doesn't support TLS 1.3
- // See bug 1250582
- uint32_t fallbackLimitBucket = 0;
- // added if the version has reached the min version.
- if (intolerant <= minVersion) {
- switch (minVersion) {
- case SSL_LIBRARY_VERSION_TLS_1_0:
- fallbackLimitBucket += 1;
- break;
- case SSL_LIBRARY_VERSION_TLS_1_1:
- fallbackLimitBucket += 2;
- break;
- case SSL_LIBRARY_VERSION_TLS_1_2:
- fallbackLimitBucket += 3;
- break;
- }
- }
- // added if the version has reached the fallback limit.
- if (intolerant <= mVersionFallbackLimit) {
- switch (mVersionFallbackLimit) {
- case SSL_LIBRARY_VERSION_TLS_1_0:
- fallbackLimitBucket += 4;
- break;
- case SSL_LIBRARY_VERSION_TLS_1_1:
- fallbackLimitBucket += 8;
- break;
- case SSL_LIBRARY_VERSION_TLS_1_2:
- fallbackLimitBucket += 12;
- break;
- }
- }
- if (fallbackLimitBucket) {
- Telemetry::Accumulate(Telemetry::SSL_FALLBACK_LIMIT_REACHED,
- fallbackLimitBucket);
- }
-
+ forgetIntolerance(hostName, port);
return false;
}
nsCString key;
getSiteKey(hostName, port, key);
MutexAutoLock lock(mutex);
--- a/security/manager/ssl/nsNSSIOLayer.h
+++ b/security/manager/ssl/nsNSSIOLayer.h
@@ -212,19 +212,17 @@ public:
void rememberTolerantAtVersion(const nsACString& hostname, int16_t port,
uint16_t tolerant);
bool fallbackLimitReached(const nsACString& hostname, uint16_t intolerant);
bool rememberIntolerantAtVersion(const nsACString& hostname, int16_t port,
uint16_t intolerant, uint16_t minVersion,
PRErrorCode intoleranceReason);
bool rememberStrongCiphersFailed(const nsACString& hostName, int16_t port,
PRErrorCode intoleranceReason);
- // returns the known tolerant version
- // or 0 if there is no known tolerant version
- uint16_t forgetIntolerance(const nsACString& hostname, int16_t port);
+ void forgetIntolerance(const nsACString& hostname, int16_t port);
void adjustForTLSIntolerance(const nsACString& hostname, int16_t port,
/*in/out*/ SSLVersionRange& range,
/*out*/ StrongCipherStatus& strongCipherStatus);
PRErrorCode getIntoleranceReason(const nsACString& hostname, int16_t port);
void clearStoredData();
void loadVersionFallbackLimit();
void setInsecureFallbackSites(const nsCString& str);
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@@ -7526,23 +7526,16 @@
},
"SSL_VERSION_FALLBACK_INAPPROPRIATE": {
"alert_emails": ["seceng-telemetry@mozilla.com"],
"expires_in_version": "never",
"kind": "enumerated",
"n_values": 64,
"description": "TLS/SSL version intolerance was falsely detected, server rejected handshake (see tlsIntoleranceTelemetryBucket() in nsNSSIOLayer.cpp)."
},
- "SSL_FALLBACK_LIMIT_REACHED": {
- "alert_emails": ["seceng-telemetry@mozilla.com"],
- "expires_in_version": "default",
- "kind": "enumerated",
- "n_values": 16,
- "description": "TLS/SSL version fallback reached the minimum version (1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2) or the fallback limit (4=TLS 1.0, 8=TLS 1.1, 12=TLS 1.2), stopped the fallback"
- },
"SSL_CIPHER_SUITE_FULL": {
"alert_emails": ["seceng-telemetry@mozilla.com"],
"expires_in_version": "never",
"kind": "enumerated",
"n_values": 128,
"description": "Negotiated cipher suite in full handshake (see key in HandshakeCallback in nsNSSCallbacks.cpp)"
},
"SSL_CIPHER_SUITE_RESUMED": {
--- a/toolkit/components/telemetry/histogram-whitelists.json
+++ b/toolkit/components/telemetry/histogram-whitelists.json
@@ -867,17 +867,16 @@
"SPDY_VERSION2",
"SSL_AUTH_ALGORITHM_FULL",
"SSL_AUTH_ECDSA_CURVE_FULL",
"SSL_AUTH_RSA_KEY_SIZE_FULL",
"SSL_BYTES_BEFORE_CERT_CALLBACK",
"SSL_CERT_ERROR_OVERRIDES",
"SSL_CIPHER_SUITE_FULL",
"SSL_CIPHER_SUITE_RESUMED",
- "SSL_FALLBACK_LIMIT_REACHED",
"SSL_HANDSHAKE_TYPE",
"SSL_HANDSHAKE_VERSION",
"SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX",
"SSL_KEA_DHE_KEY_SIZE_FULL",
"SSL_KEA_ECDHE_CURVE_FULL",
"SSL_KEA_RSA_KEY_SIZE_FULL",
"SSL_KEY_EXCHANGE_ALGORITHM_FULL",
"SSL_KEY_EXCHANGE_ALGORITHM_RESUMED",
@@ -2049,17 +2048,16 @@
"SSL_AUTH_ALGORITHM_FULL",
"SSL_AUTH_ECDSA_CURVE_FULL",
"SSL_AUTH_RSA_KEY_SIZE_FULL",
"SSL_BYTES_BEFORE_CERT_CALLBACK",
"SSL_CERT_ERROR_OVERRIDES",
"SSL_CERT_VERIFICATION_ERRORS",
"SSL_CIPHER_SUITE_FULL",
"SSL_CIPHER_SUITE_RESUMED",
- "SSL_FALLBACK_LIMIT_REACHED",
"SSL_HANDSHAKE_TYPE",
"SSL_HANDSHAKE_VERSION",
"SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX",
"SSL_KEA_DHE_KEY_SIZE_FULL",
"SSL_KEA_ECDHE_CURVE_FULL",
"SSL_KEA_RSA_KEY_SIZE_FULL",
"SSL_KEY_EXCHANGE_ALGORITHM_FULL",
"SSL_KEY_EXCHANGE_ALGORITHM_RESUMED",