diff --git a/netwerk/protocol/http/Http2Session.cpp b/netwerk/protocol/http/Http2Session.cpp index e969d60c4d2d..df4bad74e5c3 100644 --- a/netwerk/protocol/http/Http2Session.cpp +++ b/netwerk/protocol/http/Http2Session.cpp @@ -223,7 +223,7 @@ void Http2Session::ShutdownStream(Http2StreamBase* aStream, nsresult aReason) { CloseStream(aStream, NS_ERROR_NET_INADEQUATE_SECURITY); } else if (!mCleanShutdown && (mGoAwayReason != NO_HTTP_ERROR)) { CloseStream(aStream, NS_ERROR_NET_HTTP2_SENT_GOAWAY); - } else if (!mCleanShutdown && SecurityErrorThatMayNeedRestart(aReason)) { + } else if (!mCleanShutdown && PossibleZeroRTTRetryError(aReason)) { CloseStream(aStream, aReason); } else { CloseStream(aStream, NS_ERROR_ABORT); diff --git a/netwerk/protocol/http/nsHttp.cpp b/netwerk/protocol/http/nsHttp.cpp index 768ad9172973..5425c3c7b9c1 100644 --- a/netwerk/protocol/http/nsHttp.cpp +++ b/netwerk/protocol/http/nsHttp.cpp @@ -1017,13 +1017,15 @@ SupportedAlpnRank IsAlpnSupported(const nsACString& aAlpn) { return SupportedAlpnRank::NOT_SUPPORTED; } -// On some security error when 0RTT is used we want to restart transactions -// without 0RTT. Some firewalls do not behave well with 0RTT and cause this -// errors. -bool SecurityErrorThatMayNeedRestart(nsresult aReason) { +// NSS Errors which *may* have been triggered by the use of 0-RTT in the +// presence of badly behaving middleboxes. We may re-attempt the connection +// without early data. +bool PossibleZeroRTTRetryError(nsresult aReason) { return (aReason == psm::GetXPCOMFromNSSError(SSL_ERROR_PROTOCOL_VERSION_ALERT)) || - (aReason == psm::GetXPCOMFromNSSError(SSL_ERROR_BAD_MAC_ALERT)); + (aReason == psm::GetXPCOMFromNSSError(SSL_ERROR_BAD_MAC_ALERT)) || + (aReason == + psm::GetXPCOMFromNSSError(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT)); } nsresult MakeOriginURL(const nsACString& origin, nsCOMPtr& url) { diff --git a/netwerk/protocol/http/nsHttp.h b/netwerk/protocol/http/nsHttp.h index d0bd4cfe678d..fc20351c9d44 100644 --- a/netwerk/protocol/http/nsHttp.h +++ b/netwerk/protocol/http/nsHttp.h @@ -499,8 +499,6 @@ static inline bool AllowedErrorForHTTPSRRFallback(nsresult aError) { aError == NS_ERROR_UNKNOWN_HOST || aError == NS_ERROR_NET_TIMEOUT; } -bool SecurityErrorThatMayNeedRestart(nsresult aReason); - [[nodiscard]] nsresult MakeOriginURL(const nsACString& origin, nsCOMPtr& url); @@ -521,6 +519,8 @@ uint64_t WebTransportErrorToHttp3Error(uint8_t aErrorCode); uint8_t Http3ErrorToWebTransportError(uint64_t aErrorCode); +bool PossibleZeroRTTRetryError(nsresult aReason); + } // namespace net } // namespace mozilla diff --git a/netwerk/protocol/http/nsHttpConnection.cpp b/netwerk/protocol/http/nsHttpConnection.cpp index 023c06f3f31b..cd41cd65bc25 100644 --- a/netwerk/protocol/http/nsHttpConnection.cpp +++ b/netwerk/protocol/http/nsHttpConnection.cpp @@ -742,7 +742,7 @@ void nsHttpConnection::Close(nsresult reason, bool aIsShutdown) { gHttpHandler->ClearHostMapping(mConnInfo); } if (mTlsHandshaker->EarlyDataWasAvailable() && - SecurityErrorThatMayNeedRestart(reason)) { + PossibleZeroRTTRetryError(reason)) { gHttpHandler->Exclude0RttTcp(mConnInfo); } diff --git a/netwerk/protocol/http/nsHttpTransaction.cpp b/netwerk/protocol/http/nsHttpTransaction.cpp index a2d6fcb9db8d..a2d2504d6b3f 100644 --- a/netwerk/protocol/http/nsHttpTransaction.cpp +++ b/netwerk/protocol/http/nsHttpTransaction.cpp @@ -1341,7 +1341,7 @@ bool nsHttpTransaction::ShouldRestartOn0RttError(nsresult reason) { "mEarlyDataWasAvailable=%d error=%" PRIx32 "]\n", this, mEarlyDataWasAvailable, static_cast(reason))); return StaticPrefs::network_http_early_data_disable_on_error() && - mEarlyDataWasAvailable && SecurityErrorThatMayNeedRestart(reason); + mEarlyDataWasAvailable && PossibleZeroRTTRetryError(reason); } static void MaybeRemoveSSLToken(nsITransportSecurityInfo* aSecurityInfo) { @@ -1508,7 +1508,7 @@ void nsHttpTransaction::Close(nsresult reason) { if (reason == psm::GetXPCOMFromNSSError(SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA) || - reason == psm::GetXPCOMFromNSSError(SSL_ERROR_PROTOCOL_VERSION_ALERT) || + PossibleZeroRTTRetryError(reason) || (!mReceivedData && ((mRequestHead && mRequestHead->IsSafeMethod()) || !reallySentData || connReused)) || shouldRestartTransactionForHTTPSRR) { @@ -1549,9 +1549,8 @@ void nsHttpTransaction::Close(nsresult reason) { } else if (reason == psm::GetXPCOMFromNSSError( SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA)) { SetRestartReason(TRANSACTION_RESTART_DOWNGRADE_WITH_EARLY_DATA); - } else if (reason == - psm::GetXPCOMFromNSSError(SSL_ERROR_PROTOCOL_VERSION_ALERT)) { - SetRestartReason(TRANSACTION_RESTART_PROTOCOL_VERSION_ALERT); + } else if (PossibleZeroRTTRetryError(reason)) { + SetRestartReason(TRANSACTION_RESTART_POSSIBLE_0RTT_ERROR); } // if restarting fails, then we must proceed to close the pipe, // which will notify the channel that the transaction failed. diff --git a/netwerk/protocol/http/nsHttpTransaction.h b/netwerk/protocol/http/nsHttpTransaction.h index 354fa2c4d292..5256de4cf2df 100644 --- a/netwerk/protocol/http/nsHttpTransaction.h +++ b/netwerk/protocol/http/nsHttpTransaction.h @@ -299,6 +299,7 @@ class nsHttpTransaction final : public nsAHttpTransaction, TRANSACTION_RESTART_HTTP3_FAST_FALLBACK, TRANSACTION_RESTART_OTHERS, TRANSACTION_RESTART_PROTOCOL_VERSION_ALERT, + TRANSACTION_RESTART_POSSIBLE_0RTT_ERROR }; void SetRestartReason(TRANSACTION_RESTART_REASON aReason);