Closed
Bug 926116
Opened 11 years ago
Closed 11 years ago
Firefox claims to support TLS_ECDHE_RSA_AES_GCM_SHA256 and TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 even in TLS 1.0
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
VERIFIED
FIXED
mozilla27
People
(Reporter: briansmith, Assigned: cviecco)
References
Details
Attachments
(2 files)
1.19 KB,
patch
|
briansmith
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
173.87 KB,
text/x-log
|
Details |
+++ This bug was initially created as a clone of Bug #916226 +++ We need to back out the patch for bug 916226 until the patch for bug 919677 lands in mozilla-central.
Reporter | ||
Updated•11 years ago
|
status-firefox26:
--- → affected
status-firefox27:
--- → affected
tracking-firefox26:
--- → ?
tracking-firefox27:
--- → ?
Updated•11 years ago
|
Reporter | ||
Comment 1•11 years ago
|
||
Why does this depend on bug 912155? It would be better to back out the patch now, especially from m-a and m-b, because I think bug 912155 is likely to take a while to go through review, etc.
Flags: needinfo?(cviecco)
Assignee | ||
Comment 2•11 years ago
|
||
my bad.. bad bug.
No longer depends on: 912155
Flags: needinfo?(cviecco)
Assignee | ||
Comment 3•11 years ago
|
||
Assignee | ||
Updated•11 years ago
|
Attachment #816759 -
Flags: review?(brian)
Reporter | ||
Updated•11 years ago
|
Attachment #816759 -
Flags: review?(brian) → review+
https://hg.mozilla.org/mozilla-central/rev/57cfa6f88b8e
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Assignee | ||
Comment 5•11 years ago
|
||
Comment on attachment 816759 [details] [diff] [review] disable-aes-cgm-as-default [Approval Request Comment] Bug caused by (feature/regressing bug #): The landing of 916226 exposed bug 919677 in where the servers might get confused by the choice of ciphersuites. User impact if declined: Some servers might get confused if they partially understand TLS 1.2 and attempt to negotiate TLS1.2 ciphers on the TLS1.0 connections. Some sites might be unreachable. Testing completed (on m-c, etc.): landed on m-c and runs with default settings do no expose the new ciphersuites. Leaving the exact behavior as on FF 25. Risk to taking this patch (and alternatives if risky): None come to mind. String or IDL/UUID changes made by this patch: None
Attachment #816759 -
Flags: approval-mozilla-aurora?
Updated•11 years ago
|
Attachment #816759 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 6•11 years ago
|
||
lsblack thanks for the approbal, but ryanvm backed out 916226 (https://bugzilla.mozilla.org/show_bug.cgi?id=916226#c15) yesterday night and this this patch is no longer needed on aurora.
Assignee | ||
Comment 7•11 years ago
|
||
There is no need for tracking for ff26 as ryanvm backed out the prereq and thus this fix is no longer needed
Assignee | ||
Updated•11 years ago
|
status-firefox26:
affected → ---
tracking-firefox26:
+ → ---
Comment 8•11 years ago
|
||
Is there any help needed for manual testing here? If yes can you please provide some steps in order to reproduce/verify this?
Flags: needinfo?(cviecco)
Assignee | ||
Comment 9•11 years ago
|
||
This is unfriendly.. but here it is: 1. Install tcpdump + wireshark on your local machine 2. Select a host (with a unique ip) that supports https 3. Start tcpdump collection for that ip saving collection to a file 4. Start firefox, change the security.tls.max.version (ensure that secuiry.tls.max.version is 1 (TLS 1.0). 5. Connect via https to the host you selected 6. stop firefox 7. Stop your collector 8. open wireshark with the file collected via tcpdmump 9. Inside the the client-hello message (should be the first data package from the dump (4th package in the conversiation) look inse the SSL->TLS v1.0 record layer-> handhsake protocol: Client Hello -> Cipher suites. The AES GCM ciphers should not be listed. You could do the colletion inside wireshark directly, but that could be unsafe.
Flags: needinfo?(cviecco)
Comment 10•11 years ago
|
||
Thanks Camilo for helping, I was able to reproduce the issue on a older nightly build (AES GCM ciphers appear there), on latest Aurora 27.0a2 I am not seeing listed any AES GCM ciphers. Here is the log file received from tcpdump. Based on this I`m setting this verified as fixed.
Updated•11 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•