Closed Bug 194141 Opened 22 years ago Closed 19 years ago

missing calls to SSL_ClearSessionCache

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: nelson, Assigned: mconnor)

References

Details

Attachments

(1 file)

fix first part (call SSL_ClearSessionCache after PK11_LogoutAll)
3.90 KB, patch
nelson
: review+
dveditz
: superreview+
benjamin
: approval1.8b4+
Details | Diff | Splinter Review 
Any time that PSM calls PK11_LogoutAll, it should also call SSL_ClearSessionCache.
This helps ensure that no authenticated SSL sessions are reused after the Logout.

Also, any time that the user changes the set of enable SSL2/ssl3/TLS versions,
or changes the set of ciphersuites permitted for any of those versions, PSM 
should call SSL_ClearSessionCache after making the change.  This ensures that
ALL SSL sessions used after the change follow the newly established preferences.
Mass reassign ssaux bugs to nobody
Assignee: ssaux → nobody
Product: PSM → Core
*** Bug 285440 has been marked as a duplicate of this bug. ***
Blocks: 285440
Assignee: nobody → mconnor
Status: NEW → ASSIGNED

        Attachment #190538 -
        Flags: review?(dveditz)

    
    

    
  
This needs to block 1.8b4 if bug 285440 does.
Flags: blocking1.8b4+

    
    

    
  
Comment on attachment 190538 [details] [diff] [review]
fix first part (call SSL_ClearSessionCache after PK11_LogoutAll)

sr=dveditz
Let's get nelson's r= on this.

        Attachment #190538 -
        Flags: superreview+

        Attachment #190538 -
        Flags: review?(nelson)

        Attachment #190538 -
        Flags: review?(dveditz)

    
    

    
  
Comment on attachment 190538 [details] [diff] [review]
fix first part (call SSL_ClearSessionCache after PK11_LogoutAll)

Yes, looks right to me.  r=nelson.bolyard
I also checked that SSL_ClearSessionCache will not crash 
even if NSS has not yet been initialized.

        Attachment #190538 -
        Flags: review?(nelson) → review+

    
  

        Attachment #190538 -
        Flags: approval1.8b4?

    
  

        Attachment #190538 -
        Flags: approval1.8b4? → approval1.8b4+

    
  
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
    

    
  
Many thanks to Mike and Dan and Benjamin.

    
    

    
  
should a new bug be filed on the second part of comment 0?

    
    

    
  
dveditz's take was no, if users want to clear existing sessions they have the
ability to directly do this themself now.  We can take that discussion to a new
bug though.

We also don't have UI for these now, so we're talking about watching a lot of
prefs for changes.

    
    

    
  
This bug began life as a PSM bug.  When the PSM "product" was removed,
most PSM bugs got changed to "Core: Security UI", even if they were not 
UI bugs at all.  This is an example.

Some mozilla products no longer have UI to change individual cipher suites.
But PSM still has code to do so, and that code is deficient in that it 
fails to clear the SSL session cache after such changes.  

I will open another PSM bug (not UI bug) about that.  

    
    

    
  
Note that FF and Tbird DO still have UI to change the versions of SSL that
are enabled. When those are changed, the changes do not take immediate 
effect because the cache is not cleared.  I filed bug 302803 about that.

    
  
Version: psm2.1 → 1.0 Branch
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: