Closed
Bug 194141
Opened 22 years ago
Closed 19 years ago
missing calls to SSL_ClearSessionCache
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: nelson, Assigned: mconnor)
References
Details
Attachments
(1 file)
3.90 KB,
patch
|
nelson
:
review+
dveditz
:
superreview+
benjamin
:
approval1.8b4+
|
Details | Diff | Splinter Review |
Any time that PSM calls PK11_LogoutAll, it should also call SSL_ClearSessionCache. This helps ensure that no authenticated SSL sessions are reused after the Logout. Also, any time that the user changes the set of enable SSL2/ssl3/TLS versions, or changes the set of ciphersuites permitted for any of those versions, PSM should call SSL_ClearSessionCache after making the change. This ensures that ALL SSL sessions used after the change follow the newly established preferences.
Reporter | ||
Comment 2•19 years ago
|
||
*** Bug 285440 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 3•19 years ago
|
||
Comment 5•19 years ago
|
||
Comment on attachment 190538 [details] [diff] [review] fix first part (call SSL_ClearSessionCache after PK11_LogoutAll) sr=dveditz Let's get nelson's r= on this.
Attachment #190538 -
Flags: superreview+
Attachment #190538 -
Flags: review?(nelson)
Attachment #190538 -
Flags: review?(dveditz)
Reporter | ||
Comment 6•19 years ago
|
||
Comment on attachment 190538 [details] [diff] [review] fix first part (call SSL_ClearSessionCache after PK11_LogoutAll) Yes, looks right to me. r=nelson.bolyard I also checked that SSL_ClearSessionCache will not crash even if NSS has not yet been initialized.
Attachment #190538 -
Flags: review?(nelson) → review+
Assignee | ||
Updated•19 years ago
|
Attachment #190538 -
Flags: approval1.8b4?
Updated•19 years ago
|
Attachment #190538 -
Flags: approval1.8b4? → approval1.8b4+
Assignee | ||
Updated•19 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 7•19 years ago
|
||
Many thanks to Mike and Dan and Benjamin.
Assignee | ||
Comment 9•19 years ago
|
||
dveditz's take was no, if users want to clear existing sessions they have the ability to directly do this themself now. We can take that discussion to a new bug though. We also don't have UI for these now, so we're talking about watching a lot of prefs for changes.
Reporter | ||
Comment 10•19 years ago
|
||
This bug began life as a PSM bug. When the PSM "product" was removed, most PSM bugs got changed to "Core: Security UI", even if they were not UI bugs at all. This is an example. Some mozilla products no longer have UI to change individual cipher suites. But PSM still has code to do so, and that code is deficient in that it fails to clear the SSL session cache after such changes. I will open another PSM bug (not UI bug) about that.
Reporter | ||
Comment 11•19 years ago
|
||
Note that FF and Tbird DO still have UI to change the versions of SSL that are enabled. When those are changed, the changes do not take immediate effect because the cache is not cleared. I filed bug 302803 about that.
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•