Remove support for TLS session caches in TLSServerSocket.

This resolves #738
2026-05-26 14:54:25 +00:00 · 2018-09-01 23:45:10 +02:00
parent 1bb41a8652
commit e2e197cada
10 changed files with 15 additions and 43 deletions
@@ -480,7 +480,6 @@ SocketListener.prototype = {
  _setAdditionalSocketOptions: Task.async(function* () {
    if (this.encryption) {
      this._socket.serverCert = yield cert.local.getOrCreate();
-      this._socket.setSessionCache(false);
      this._socket.setSessionTickets(false);
      let requestCert = Ci.nsITLSServerSocket.REQUEST_NEVER;
      this._socket.setRequestClientCertificate(requestCert);
@@ -100,7 +100,6 @@ PresentationControlService.prototype = {

      if (aCert) {
        this._serverSocket.serverCert = aCert;
-        this._serverSocket.setSessionCache(false);
        this._serverSocket.setSessionTickets(false);
        let requestCert = Ci.nsITLSServerSocket.REQUEST_NEVER;
        this._serverSocket.setRequestClientCertificate(requestCert);
@@ -52,12 +52,12 @@ TLSServerSocket::SetSocketDefaults()
  SSL_OptionSet(mFD, SSL_SECURITY, true);
  SSL_OptionSet(mFD, SSL_HANDSHAKE_AS_CLIENT, false);
  SSL_OptionSet(mFD, SSL_HANDSHAKE_AS_SERVER, true);
-
+  SSL_OptionSet(mFD, SSL_NO_CACHE, true);
+  
  // We don't currently notify the server API consumer of renegotiation events
  // (to revalidate peer certs, etc.), so disable it for now.
  SSL_OptionSet(mFD, SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_NEVER);

-  SetSessionCache(true);
  SetSessionTickets(true);
  SetRequestClientCertificate(REQUEST_NEVER);

@@ -171,18 +171,6 @@ TLSServerSocket::SetServerCert(nsIX509Cert* aCert)
  return NS_OK;
 }

-NS_IMETHODIMP
-TLSServerSocket::SetSessionCache(bool aEnabled)
-{
-  // If AsyncListen was already called (and set mListener), it's too late to set
-  // this.
-  if (NS_WARN_IF(mListener)) {
-    return NS_ERROR_IN_PROGRESS;
-  }
-  SSL_OptionSet(mFD, SSL_NO_CACHE, !aEnabled);
-  return NS_OK;
-}
-
 NS_IMETHODIMP
 TLSServerSocket::SetSessionTickets(bool aEnabled)
 {
@@ -19,15 +19,6 @@ interface nsITLSServerSocket : nsIServerSocket
   */
  attribute nsIX509Cert serverCert;

-  /**
-   * setSessionCache
-   *
-   * Whether the server should use a session cache.  Defaults to true.  This
-   * should be set before calling |asyncListen| if you wish to change the
-   * default.
-   */
-  void setSessionCache(in boolean aSessionCache);
-
  /**
   * setSessionTickets
   *
@@ -140,7 +140,6 @@ function startServer(cert, minServerVersion, maxServerVersion) {
  tlsServer.init(-1, true, -1);
  tlsServer.serverCert = cert;
  tlsServer.setVersionRange(minServerVersion, maxServerVersion);
-  tlsServer.setSessionCache(false);
  tlsServer.setSessionTickets(false);
  tlsServer.asyncListen(new ServerSocketListener());
  return tlsServer;
@@ -90,7 +90,6 @@ function startServer(cert, expectingPeerCert, clientCertificateConfig,
    onStopListening: function() {}
  };

-  tlsServer.setSessionCache(false);
  tlsServer.setSessionTickets(false);
  tlsServer.setRequestClientCertificate(clientCertificateConfig);

@@ -67,7 +67,6 @@ function startServer(cert) {
    onStopListening: function() {}
  };

-  tlsServer.setSessionCache(true);
  tlsServer.setSessionTickets(false);

  tlsServer.asyncListen(listener);
@@ -1938,20 +1938,6 @@ nsNSSComponent::InitializeNSS()
    return NS_ERROR_FAILURE;
  }

-  // TLSServerSocket may be run with the session cache enabled. It is necessary
-  // to call this once before that can happen. This specifies a maximum of 1000
-  // cache entries (the default number of cache entries is 10000, which seems a
-  // little excessive as there probably won't be that many clients connecting to
-  // any TLSServerSockets the browser runs.)
-  // Note that this must occur before any calls to SSL_ClearSessionCache
-  // (otherwise memory will leak).
-  if (SSL_ConfigServerSessionIDCache(1000, 0, 0, nullptr) != SECSuccess) {
-#ifdef ANDROID
-    MOZ_RELEASE_ASSERT(false);
-#endif
-    return NS_ERROR_FAILURE;
-  }
-
  // ensure the CertBlocklist is initialised
  nsCOMPtr<nsICertBlocklist> certList = do_GetService(NS_CERTBLOCKLIST_CONTRACTID);
 #ifdef ANDROID
@@ -77,7 +77,6 @@ function startServer(cert, rc4only) {
    onStopListening: function() {}
  };

-  tlsServer.setSessionCache(false);
  tlsServer.setSessionTickets(false);
  tlsServer.setRequestClientCertificate(Ci.nsITLSServerSocket.REQUEST_NEVER);
  if (rc4only) {
@@ -124,6 +124,8 @@ extern nsresult nsStringInputStreamConstructor(nsISupports*, REFNSIID, void**);
 #include "nsMemoryInfoDumper.h"
 #include "nsSecurityConsoleMessage.h"
 #include "nsMessageLoop.h"
+#include "nss.h"
+#include "ssl.h"

 #include "nsStatusReporterManager.h"

@@ -1046,6 +1048,17 @@ ShutdownXPCOM(nsIServiceManager* aServMgr)
    sInitializedJS = false;
  }

+  // At this point all networking threads should have been joined and the
+  // component manager is shut down. Any remaining objects that hold NSS
+  // resources (should!) have been released, so we can safely shut down NSS.
+  if (NSS_IsInitialized()) {
+    SSL_ClearSessionCache();
+    // XXX: It would be nice if we can enforce this shutdown.
+    if (NSS_Shutdown() != SECSuccess) {
+      NS_WARNING("NSS Shutdown failed - some resources are still in use");
+    }
+  }
+  
  // Release our own singletons
  // Do this _after_ shutting down the component manager, because the
  // JS component loader will use XPConnect to call nsIModule::canUnload,