Bug 1305561 - Do not check renego extension when TLS version is 1.3. r=keeler
MozReview-Commit-ID: JtT6hLcbl3W
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -1185,21 +1185,26 @@ void HandshakeCallback(PRFileDesc* fd, v
infoObject->IsFullHandshake()
? Telemetry::SSL_SYMMETRIC_CIPHER_FULL
: Telemetry::SSL_SYMMETRIC_CIPHER_RESUMED,
cipherInfo.symCipher);
}
}
PRBool siteSupportsSafeRenego;
- rv = SSL_HandshakeNegotiatedExtension(fd, ssl_renegotiation_info_xtn,
- &siteSupportsSafeRenego);
- MOZ_ASSERT(rv == SECSuccess);
- if (rv != SECSuccess) {
- siteSupportsSafeRenego = false;
+ if (channelInfo.protocolVersion != SSL_LIBRARY_VERSION_TLS_1_3) {
+ rv = SSL_HandshakeNegotiatedExtension(fd, ssl_renegotiation_info_xtn,
+ &siteSupportsSafeRenego);
+ MOZ_ASSERT(rv == SECSuccess);
+ if (rv != SECSuccess) {
+ siteSupportsSafeRenego = false;
+ }
+ } else {
+ // TLS 1.3 dropped support for renegotiation.
+ siteSupportsSafeRenego = true;
}
bool renegotiationUnsafe = !siteSupportsSafeRenego &&
ioLayerHelpers.treatUnsafeNegotiationAsBroken();
/* Set the SSL Status information */
RefPtr<nsSSLStatus> status(infoObject->SSLStatus());
if (!status) {