Bug 1768250 - Don't always do 0RTT for HTTP/2, r=necko-reviewers,dragana

KershawChang · KershawChang · commit 91c4d924962f · 2022-09-20T12:58:06.000Z
Differential Revision: https://phabricator.services.mozilla.com/D148513
diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml
@@ -11595,6 +11595,12 @@
   value: 5
   mirror: always
 
+  # If true, remove the resumption token when 0RTT failed.
+- name: network.http.remove_resumption_token_when_early_data_failed
+  type: RelaxedAtomicBool
+  value: true
+  mirror: always
+
 # The maximum count that we allow socket prrocess to crash. If this count is
 # reached, we won't use networking over socket process.
 - name: network.max_socket_process_failed_count
diff --git a/netwerk/protocol/http/nsHttpTransaction.cpp b/netwerk/protocol/http/nsHttpTransaction.cpp
@@ -16,6 +16,7 @@
 #include "Http2ConnectTransaction.h"
 #include "base/basictypes.h"
 #include "mozilla/Components.h"
+#include "mozilla/net/SSLTokensCache.h"
 #include "mozilla/ScopeExit.h"
 #include "mozilla/Tokenizer.h"
 #include "mozilla/StaticPrefs_network.h"
@@ -1324,6 +1325,23 @@ bool nsHttpTransaction::ShouldRestartOn0RttError(nsresult reason) {
          mEarlyDataWasAvailable && SecurityErrorThatMayNeedRestart(reason);
 }
 
+static void MaybeRemoveSSLToken(nsISSLSocketControl* aSocketControl) {
+  if (!StaticPrefs::
+          network_http_remove_resumption_token_when_early_data_failed()) {
+    return;
+  }
+
+  nsCOMPtr<nsITransportSecurityInfo> info(do_QueryInterface(aSocketControl));
+  if (!info) {
+    return;
+  }
+
+  nsAutoCString key;
+  info->GetPeerId(key);
+  nsresult rv = SSLTokensCache::RemoveAll(key);
+  LOG(("RemoveSSLToken [key=%s, rv=%" PRIx32 "]", key.get(), rv));
+}
+
 void nsHttpTransaction::Close(nsresult reason) {
   LOG(("nsHttpTransaction::Close [this=%p reason=%" PRIx32 "]\n", this,
        static_cast<uint32_t>(reason)));
@@ -1457,6 +1475,7 @@ void nsHttpTransaction::Close(nsresult reason) {
     }
 
     mDoNotTryEarlyData = true;
+
     // reallySentData is meant to separate the instances where data has
     // been sent by this transaction but buffered at a higher level while
     // a TLS session (perhaps via a tunnel) is setup.
@@ -1751,6 +1770,10 @@ nsresult nsHttpTransaction::Restart() {
   nsCOMPtr<nsISeekableStream> seekable = do_QueryInterface(mRequestStream);
   if (seekable) seekable->Seek(nsISeekableStream::NS_SEEK_SET, 0);
 
+  if (mDoNotTryEarlyData) {
+    MaybeRemoveSSLToken(mTLSSocketControl);
+  }
+
   // clear old connection state...
   {
     MutexAutoLock lock(mLock);
