200945 – Add default to disable legacy TLS versions

RESOLVED FIXED 200945

Add default to disable legacy TLS versions

https://bugs.webkit.org/show_bug.cgi?id=200945

Summary Add default to disable legacy TLS versions

Alex Christensen

Reported 2019-08-20 14:51:49 PDT

Add default to disable legacy TLS versions

Attachments
Patch (7.96 KB, patch) 2019-08-20 14:52 PDT, Alex Christensen	no flags	Details Formatted Diff Diff
Patch (8.08 KB, patch) 2019-08-20 15:13 PDT, Alex Christensen	no flags	Details Formatted Diff Diff
Patch (8.25 KB, patch) 2019-08-21 16:14 PDT, Alex Christensen	no flags	Details Formatted Diff Diff
Patch (8.30 KB, patch) 2019-08-21 17:18 PDT, Alex Christensen	beidson: review+	Details Formatted Diff Diff
patch for landing (8.29 KB, patch) 2019-08-22 10:08 PDT, Alex Christensen	no flags	Details Formatted Diff Diff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.

Alex Christensen

Comment 1 2019-08-20 14:52:03 PDT

Created attachment 376811 [details] Patch

Geoffrey Garen

Comment 2 2019-08-20 14:54:02 PDT

Comment on attachment 376811 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=376811&action=review > Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm:284 > + parameters.defaultDataStoreParameters.networkSessionParameters.minimumTLSVersion = [defaults boolForKey:@"WebKitDisableLegacyTLS"] ? Can we use an experimental feature flag for this instead? That way, it's easier for folks to toggle it when testing.

Alex Christensen

Comment 3 2019-08-20 15:13:04 PDT

Created attachment 376817 [details] Patch

Alex Christensen

Comment 4 2019-08-20 15:40:08 PDT

This goes with rdar://54530661 Experimental features don't go in the NetworkProcess :( Also, there's no easy way to set experimental features for all apps, but there is a way for NSUserDefaults

Brady Eidson

Comment 5 2019-08-21 14:33:38 PDT

Comment on attachment 376817 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=376817&action=review > Source/WebKit/UIProcess/WebsiteData/Cocoa/WebsiteDataStoreCocoa.mm:72 > + auto minimumTLSVersion = [defaults boolForKey:@"WebKitDisableLegacyTLS"] ? Lets not add another [defaults <fooForKey>] in here. The others need to be reworked to be API/SPI calls instead of relying on NSUserDefaults. Please do the same for yours. Otherwise this all seems fine,

Brady Eidson

Comment 6 2019-08-21 14:34:55 PDT

(In reply to Brady Eidson from comment #5) > Comment on attachment 376817 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=376817&action=review > > > Source/WebKit/UIProcess/WebsiteData/Cocoa/WebsiteDataStoreCocoa.mm:72 > > + auto minimumTLSVersion = [defaults boolForKey:@"WebKitDisableLegacyTLS"] ? > > Lets not add another [defaults <fooForKey>] in here. The others need to be > reworked to be API/SPI calls instead of relying on NSUserDefaults. Please do > the same for yours. > > Otherwise this all seems fine. So, I wrote this comment WITHOUT having look at the previous conversation. I stand by it. No NSUserDefaults please. (Doesn't have to be experimental)

Tim Horton

Comment 7 2019-08-21 14:50:38 PDT

Comment on attachment 376817 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=376817&action=review >>> Source/WebKit/UIProcess/WebsiteData/Cocoa/WebsiteDataStoreCocoa.mm:72 >>> + auto minimumTLSVersion = [defaults boolForKey:@"WebKitDisableLegacyTLS"] ? >> >> Lets not add another [defaults <fooForKey>] in here. The others need to be reworked to be API/SPI calls instead of relying on NSUserDefaults. Please do the same for yours. >> >> Otherwise this all seems fine, > > So, I wrote this comment WITHOUT having look at the previous conversation. > > I stand by it. No NSUserDefaults please. (Doesn't have to be experimental) +1 to no NSUserDefaults. Doesn't seem like something we want apps to use, and NSUserDefaults is a free hole for people to fiddle with bits. We do have the few debug-style globally-settable preferences (like layer borders) but this seems like it doesn't fit into that category either.

Alex Christensen

Comment 8 2019-08-21 16:14:04 PDT

Created attachment 376944 [details] Patch

Alex Christensen

Comment 9 2019-08-21 16:25:58 PDT

Comment on attachment 376944 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=376944&action=review > Source/WTF/ChangeLog:3 > + Add default to disable legacy TLS versions I'll change the title to "Disable legacy TLS versions and add a temporary default to re-enable it"

Alex Christensen

Comment 10 2019-08-21 17:18:20 PDT

Created attachment 376952 [details] Patch

Alex Christensen

Comment 11 2019-08-22 07:25:07 PDT

We need an NSUserDefault for the corresponding internal change, and we can't use a debug WebPreference because it is needed when the NetworkSessionParameters are made, and we don't know which WKWebView to use if it were a preference on a WKWebView. The default now turns it off instead of on.

Brady Eidson

Comment 12 2019-08-22 10:06:36 PDT

Comment on attachment 376952 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=376952&action=review > Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm:284 > + parameters.defaultDataStoreParameters.networkSessionParameters.enableLegacyTLS = [defaults boolForKey:@"WebKitEnableLegacyTLS"]; Oof > Source/WebKit/UIProcess/WebsiteData/Cocoa/WebsiteDataStoreCocoa.mm:72 > + bool enableLegacyTLS = [defaults boolForKey:@"WebKitDisableLegacyTLS"]; Oof.

Brady Eidson

Comment 13 2019-08-22 10:07:02 PDT

Comment on attachment 376952 [details] Patch We're doing enable, right? Make it enable everywhere.

Alex Christensen

Comment 14 2019-08-22 10:08:44 PDT

Created attachment 377021 [details] patch for landing

WebKit Commit Bot

Comment 15 2019-08-22 11:13:15 PDT

Comment on attachment 377021 [details] patch for landing Clearing flags on attachment: 377021 Committed r249019: <https://trac.webkit.org/changeset/249019>

WebKit Commit Bot

Comment 16 2019-08-22 11:13:17 PDT

All reviewed patches have been landed. Closing bug.

Radar WebKit Bug Importer

Comment 17 2019-08-22 11:14:22 PDT

<rdar://problem/54606353>

Darin Adler

Comment 18 2019-08-22 17:26:42 PDT

Comment on attachment 377021 [details] patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=377021&action=review > Source/WTF/wtf/Platform.h:1614 > +#if (PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 130000 || PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500) > +#define HAVE_TLS_PROTOCOL_VERSION_T 1 > +#endif What about non-IOS IOS_FAMILY platforms?

Tim Horton

Comment 19 2019-08-29 16:43:39 PDT

(In reply to Darin Adler from comment #18) > Comment on attachment 377021 [details] > patch for landing > > View in context: > https://bugs.webkit.org/attachment.cgi?id=377021&action=review > > > Source/WTF/wtf/Platform.h:1614 > > +#if (PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 130000 || PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500) > > +#define HAVE_TLS_PROTOCOL_VERSION_T 1 > > +#endif > > What about non-IOS IOS_FAMILY platforms? I second this (and in fact the leftover deprecation warnings are breaking the build).

Alex Christensen

Comment 20 2019-08-30 13:19:04 PDT

http://trac.webkit.org/r249340

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component New Bugs

Assignee

Alex Christensen

Reported

2019-08-20 14:51 PDT

Modified

2019-08-30 13:19 PDT History

CC List

11 users Show

URL

Keywords InRadar

Depends on

Blocks