mirror of
https://github.com/mozilla/gecko-dev.git
synced 2025-11-10 05:08:36 +02:00
506fbc6493
This flips the default for security.tls.version.min to 3 (TLS 1.2) for the Nightly channel. Having had this pref at this level for the last year, I can confirm that this does break the occasional site, but it is quite rare. The intent of this change is to start making it more obvious when sites don't support TLS 1.2. I'm asking for wider review because this is a disruptive change. Differential Revision: https://phabricator.services.mozilla.com/D45627 --HG-- extra : moz-landing-system : lando
94 lines
3.1 KiB
JavaScript
94 lines
3.1 KiB
JavaScript
/*
|
|
* Any copyright is dedicated to the Public Domain.
|
|
* http://creativecommons.org/publicdomain/zero/1.0/
|
|
*
|
|
* Tests for Bug 1535210 - Set SSL STATE_IS_BROKEN flag for TLS1.0 and TLS 1.1 connections
|
|
*/
|
|
|
|
const HTTPS_TLS1_0 = "https://tls1.example.com";
|
|
const HTTPS_TLS1_1 = "https://tls11.example.com";
|
|
const HTTPS_TLS1_2 = "https://tls12.example.com";
|
|
const HTTPS_TLS1_3 = "https://tls13.example.com";
|
|
|
|
function getIdentityMode(aWindow = window) {
|
|
return aWindow.document.getElementById("identity-box").className;
|
|
}
|
|
|
|
function getConnectionState() {
|
|
// Prevents items that are being lazy loaded causing issues
|
|
document.getElementById("identity-box").click();
|
|
gIdentityHandler.refreshIdentityPopup();
|
|
return document.getElementById("identity-popup").getAttribute("connection");
|
|
}
|
|
|
|
registerCleanupFunction(function() {
|
|
// Set preferences back to their original values
|
|
Services.prefs.clearUserPref("security.tls.version.min");
|
|
Services.prefs.clearUserPref("security.tls.version.max");
|
|
});
|
|
|
|
add_task(async function() {
|
|
// Run with all versions enabled for this test.
|
|
Services.prefs.setIntPref("security.tls.version.min", 1);
|
|
Services.prefs.setIntPref("security.tls.version.max", 4);
|
|
|
|
await BrowserTestUtils.withNewTab("about:blank", async function(browser) {
|
|
// Try deprecated versions
|
|
await BrowserTestUtils.loadURI(browser, HTTPS_TLS1_0);
|
|
await BrowserTestUtils.browserLoaded(browser);
|
|
isSecurityState(browser, "broken");
|
|
is(
|
|
getIdentityMode(),
|
|
"unknownIdentity weakCipher",
|
|
"Identity should be unknownIdentity"
|
|
);
|
|
is(
|
|
getConnectionState(),
|
|
"not-secure",
|
|
"connectionState should be not-secure"
|
|
);
|
|
|
|
await BrowserTestUtils.loadURI(browser, HTTPS_TLS1_1);
|
|
await BrowserTestUtils.browserLoaded(browser);
|
|
isSecurityState(browser, "broken");
|
|
is(
|
|
getIdentityMode(),
|
|
"unknownIdentity weakCipher",
|
|
"Identity should be unknownIdentity"
|
|
);
|
|
is(
|
|
getConnectionState(),
|
|
"not-secure",
|
|
"connectionState should be not-secure"
|
|
);
|
|
|
|
// Transition to secure
|
|
await BrowserTestUtils.loadURI(browser, HTTPS_TLS1_2);
|
|
await BrowserTestUtils.browserLoaded(browser);
|
|
isSecurityState(browser, "secure");
|
|
is(getIdentityMode(), "verifiedDomain", "Identity should be verified");
|
|
is(getConnectionState(), "secure", "connectionState should be secure");
|
|
|
|
// Transition back to broken
|
|
await BrowserTestUtils.loadURI(browser, HTTPS_TLS1_1);
|
|
await BrowserTestUtils.browserLoaded(browser);
|
|
isSecurityState(browser, "broken");
|
|
is(
|
|
getIdentityMode(),
|
|
"unknownIdentity weakCipher",
|
|
"Identity should be unknownIdentity"
|
|
);
|
|
is(
|
|
getConnectionState(),
|
|
"not-secure",
|
|
"connectionState should be not-secure"
|
|
);
|
|
|
|
// TLS1.3 for completeness
|
|
await BrowserTestUtils.loadURI(browser, HTTPS_TLS1_3);
|
|
await BrowserTestUtils.browserLoaded(browser);
|
|
isSecurityState(browser, "secure");
|
|
is(getIdentityMode(), "verifiedDomain", "Identity should be verified");
|
|
is(getConnectionState(), "secure", "connectionState should be secure");
|
|
});
|
|
});
|