1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
|
/* Any copyright is dedicated to the Public Domain.
* http://creativecommons.org/publicdomain/zero/1.0/ */
"use strict";
const SSL3_PAGE = "https://ssl3.example.com/";
const TLS10_PAGE = "https://tls1.example.com/";
const TLS12_PAGE = "https://tls12.example.com/";
const TRIPLEDES_PAGE = "https://3des.example.com/";
const lazy = {};
XPCOMUtils.defineLazyServiceGetter(
lazy,
"gDNSOverride",
"@mozilla.org/network/native-dns-override;1",
"nsINativeDNSResolverOverride"
);
// This includes all the cipher suite prefs we have.
function resetPrefs() {
Services.prefs.clearUserPref("security.tls.version.min");
Services.prefs.clearUserPref("security.tls.version.max");
Services.prefs.clearUserPref("security.tls.version.enable-deprecated");
Services.prefs.clearUserPref("browser.fixup.alternate.enabled");
}
add_task(async function resetToDefaultConfig() {
info(
"Change TLS config to cause page load to fail, check that reset button is shown and that it works"
);
// Set ourselves up for a TLS error.
Services.prefs.setIntPref("security.tls.version.min", 1); // TLS 1.0
Services.prefs.setIntPref("security.tls.version.max", 1);
let browser;
let pageLoaded;
await BrowserTestUtils.openNewForegroundTab(
gBrowser,
() => {
gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser, TLS12_PAGE);
browser = gBrowser.selectedBrowser;
pageLoaded = BrowserTestUtils.waitForErrorPage(browser);
},
false
);
info("Loading and waiting for the net error");
await pageLoaded;
// Setup an observer for the target page.
const finalLoadComplete = BrowserTestUtils.browserLoaded(
browser,
false,
TLS12_PAGE
);
await SpecialPowers.spawn(browser, [], async function () {
const doc = content.document;
ok(
doc.documentURI.startsWith("about:neterror"),
"Should be showing error page"
);
const prefResetButton = doc.getElementById("prefResetButton");
await ContentTaskUtils.waitForCondition(
() => ContentTaskUtils.is_visible(prefResetButton),
"prefResetButton is visible"
);
if (!Services.focus.focusedElement == prefResetButton) {
await ContentTaskUtils.waitForEvent(prefResetButton, "focus");
}
Assert.ok(true, "prefResetButton has focus");
prefResetButton.click();
});
info("Waiting for the page to load after the click");
await finalLoadComplete;
resetPrefs();
BrowserTestUtils.removeTab(gBrowser.selectedTab);
});
add_task(async function checkLearnMoreLink() {
info("Load an unsupported TLS page and check for a learn more link");
// Set ourselves up for TLS error
Services.prefs.setIntPref("security.tls.version.min", 3);
Services.prefs.setIntPref("security.tls.version.max", 4);
let browser;
let pageLoaded;
await BrowserTestUtils.openNewForegroundTab(
gBrowser,
() => {
gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser, TLS10_PAGE);
browser = gBrowser.selectedBrowser;
pageLoaded = BrowserTestUtils.waitForErrorPage(browser);
},
false
);
info("Loading and waiting for the net error");
await pageLoaded;
const baseURL = Services.urlFormatter.formatURLPref("app.support.baseURL");
await SpecialPowers.spawn(browser, [baseURL], function (_baseURL) {
const doc = content.document;
ok(
doc.documentURI.startsWith("about:neterror"),
"Should be showing error page"
);
const tlsVersionNotice = doc.getElementById("tlsVersionNotice");
ok(
ContentTaskUtils.is_visible(tlsVersionNotice),
"TLS version notice is visible"
);
const learnMoreLink = doc.getElementById("learnMoreLink");
ok(
ContentTaskUtils.is_visible(learnMoreLink),
"Learn More link is visible"
);
is(learnMoreLink.getAttribute("href"), _baseURL + "connection-not-secure");
const titleEl = doc.querySelector(".title-text");
const actualDataL10nID = titleEl.getAttribute("data-l10n-id");
is(
actualDataL10nID,
"nssFailure2-title",
"Correct error page title is set"
);
const errorCodeEl = doc.querySelector("#errorShortDesc2");
const actualDataL10Args = errorCodeEl.getAttribute("data-l10n-args");
ok(
actualDataL10Args.includes("SSL_ERROR_PROTOCOL_VERSION_ALERT"),
"Correct error code is set"
);
});
resetPrefs();
BrowserTestUtils.removeTab(gBrowser.selectedTab);
});
// When a user tries going to a host without a suffix
// and the term doesn't match a host and we are able to suggest a
// valid correction, the page should show the correction.
// e.g. http://example/example2 -> https://www.example.com/example2
add_task(async function checkDomainCorrection() {
await SpecialPowers.pushPrefEnv({
set: [["browser.fixup.alternate.enabled", false]],
});
lazy.gDNSOverride.addIPOverride("www.example.com", "::1");
info("Try loading a URI that should result in an error page");
BrowserTestUtils.openNewForegroundTab(
gBrowser,
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
"http://example/example2/",
false
);
info("Loading and waiting for the net error");
let browser = gBrowser.selectedBrowser;
let pageLoaded = BrowserTestUtils.waitForErrorPage(browser);
await pageLoaded;
const baseURL = Services.urlFormatter.formatURLPref("app.support.baseURL");
await SpecialPowers.spawn(browser, [baseURL], async function (_baseURL) {
const doc = content.document;
ok(
doc.documentURI.startsWith("about:neterror"),
"Should be showing error page"
);
const errorNotice = doc.getElementById("errorShortDesc");
ok(ContentTaskUtils.is_visible(errorNotice), "Error text is visible");
// Wait for the domain suggestion to be resolved and for the text to update
let link;
await ContentTaskUtils.waitForCondition(() => {
link = errorNotice.querySelector("a");
return link && link.textContent != "";
}, "Helper link has been set");
is(
link.getAttribute("href"),
"https://www.example.com/example2/",
"Link was corrected"
);
const actualDataL10nID = link.getAttribute("data-l10n-name");
is(actualDataL10nID, "website", "Correct name is set");
});
lazy.gDNSOverride.clearHostOverride("www.example.com");
resetPrefs();
BrowserTestUtils.removeTab(gBrowser.selectedTab);
});
// Test that ciphersuites that use 3DES (namely, TLS_RSA_WITH_3DES_EDE_CBC_SHA)
// can only be enabled when deprecated TLS is enabled.
add_task(async function onlyAllow3DESWithDeprecatedTLS() {
// By default, connecting to a server that only uses 3DES should fail.
await BrowserTestUtils.withNewTab(
{ gBrowser, url: "about:blank" },
async browser => {
BrowserTestUtils.loadURIString(browser, TRIPLEDES_PAGE);
await BrowserTestUtils.waitForErrorPage(browser);
}
);
// Enabling deprecated TLS should also enable 3DES.
Services.prefs.setBoolPref("security.tls.version.enable-deprecated", true);
await BrowserTestUtils.withNewTab(
{ gBrowser, url: "about:blank" },
async browser => {
BrowserTestUtils.loadURIString(browser, TRIPLEDES_PAGE);
await BrowserTestUtils.browserLoaded(browser, false, TRIPLEDES_PAGE);
}
);
// 3DES can be disabled separately.
Services.prefs.setBoolPref(
"security.ssl3.deprecated.rsa_des_ede3_sha",
false
);
await BrowserTestUtils.withNewTab(
{ gBrowser, url: "about:blank" },
async browser => {
BrowserTestUtils.loadURIString(browser, TRIPLEDES_PAGE);
await BrowserTestUtils.waitForErrorPage(browser);
}
);
resetPrefs();
});
|