Closed Bug 733958 Opened 12 years ago Closed 12 years ago

bugzilla.mozilla.org fails to load when security.ssl.require_safe_negotiation is enabled

Categories

(mozilla.org Graveyard :: Server Operations, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 555952

People

(Reporter: aerowolf, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Build ID: 20120215223356

Steps to reproduce:

Firefox 10, security.ssl.require_secure_negotiation=true.  Attempted to file bug about addons.mozilla.org intermittent insecure negotiation.


Actual results:

Step 2 (which relies upon Javascript being loaded) failed to do anything when I clicked the "find bugs similar" button.  I was forced to disable security.ssl.require_secure_negotiation=true.


Expected results:

The javascript-vending server should support secure negotiation, so javascript required by Bugzilla will load correctly with require_secure_negotiation=true.
Component: General → Untriaged
Product: bugzilla.mozilla.org → Firefox
QA Contact: general → untriaged
Version: Current → 10 Branch
oh, wait, sorry.
note to self:  drink coffee, _then_ triage bugs :)
Component: Untriaged → Extensions: GuidedBugEntry
Product: Firefox → bugzilla.mozilla.org
QA Contact: untriaged → guided-bug-entry
Version: 10 Branch → Current
security.ssl.require_secure_negotiation isn't a recognised option.
i assume you mean security.ssl.require_safe_negotiation

when enabled, even non-javascript requests can result in:

> An error occurred during a connection to bugzilla.mozilla.org.
> Peer attempted old style (potentially vulnerable) handshake.
> (Error code: ssl_error_unsafe_negotiation)

the documentation for this setting, at https://wiki.mozilla.org/Security:Renegotiation#security.ssl.require_safe_negotiation says:

> Unfortunately, as of time of (initial) writing, this would break
> nearly all secure sites on the web. (Update: As of December 2010,
> this still applies for a majority of web sites.)
Assignee: nobody → server-ops-devservices
Component: Extensions: GuidedBugEntry → Server Operations: Developer Services
Product: bugzilla.mozilla.org → mozilla.org
QA Contact: guided-bug-entry → shyam
Version: Current → other
Assignee: server-ops-devservices → server-ops
Component: Server Operations: Developer Services → Server Operations: AMO Operations
QA Contact: shyam → oremj
When were you seeing the failures? Does it work now?
(In reply to Jeremy Orem [:oremj] from comment #4)
> When were you seeing the failures? Does it work now?

i was able to reproduce this with nightly at the time i made comment 2.
This bug is for bugzilla.mozilla.org, not addons.mozilla.org right?
Component: Server Operations: AMO Operations → Server Operations
QA Contact: oremj → phong
Isn't this just because statse.webtrendslive.com doesn't support RFC 5746, which there are already a bazillion bugs about?
Byron, is that where you are seeing the failure?
no, this isn't rfc-5746 again, this is on bugzilla.mozilla.org.

to reiterate the steps to reproduce:
1. set security.ssl.require_safe_negotiation to true
2. load https://bugzilla.mozilla.org/

results:

  An error occurred during a connection to bugzilla.mozilla.org.
  Peer attempted old style (potentially vulnerable) handshake.
  (Error code: ssl_error_unsafe_negotiation)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Javascript sometimes fails to load when Firefox security.ssl.require_secure_negotiation true → bugzilla.mozilla.org fails to load when security.ssl.require_safe_negotiation is enabled
This likely is an RFC 5746 issue, just not with webtrends. We have several bugs open about this kind of issue... the TL;DR is: Firefox complains, but everything else we can find to test with says everything is A-OK. This includes "openssl s_client", "gnutls-cli", https://www.ssllabs.com/, the Zeus LB configuration, and the Zeus tech support engineers. I don't know if Chrome, Safari, IE, or Opera have similar built-in ways to check.

The master bug on this is Bug 555952. If you have any information that might speak to this issue, I recommend entering it there, or in one of the myriad of dependent bugs. In fact, if I'm not mistaken in my diagnosis here, it might be wise to set this one as dependent on that one as well.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.