Closed Bug 1018878 Opened 11 years ago Closed 11 years ago

push.services.mozilla.com : server does not support RFC 5746

Categories

(Cloud Services Graveyard :: Server: SimplePush, defect)

Product:
Cloud Services Graveyard
Component:
Server: SimplePush
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: standard8, Unassigned)

References

Details

Accessing the push.services.mozilla.com for Loop on Firefox nightly, I'm seeing this on the error console: push.services.mozilla.com : server does not support RFC 5746, see CVE-2009-3555 This has been fixed for other mozilla sites in the past (xref bug 602084 & others), so I think it should be fixed here as well.
Blocks: moz-rfc5746
Per bug 555952, be advised that the warning in the error console is traditionally inaccurate. It can in some cases indicate that the server supports 'safe' forms of renegotiation, *or* that the server would actually refuse to renegotiate were the client to try at all.
No longer blocks: moz-rfc5746
See Also: → moz-rfc5746
Just FYI, this appears to be hosted on AWS, and thus is not subject to any discussions in bug 555952 that are specific to the Zeus load balancers we use in our datacenters. I don't manage that infra, so I can't offer any input beyond that.
I see this message too. Nightly Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:36.0) Gecko/20100101 Firefox/36.0 ID:20141109030205 CSet: d380166816dd
Confirming comment #2, golang TLS does not support renegotiation. The reported error is inaccurate.Any potential work around would involve partially implementing renegotiation in order to deny it, which raises other potential security issues.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
See Also: → 1140384
rbarnes, can you look into comment 4? I hope we're not generate bad warnings to the jsconsole.
Flags: needinfo?(rlb)
I actually agree with jrconlin's conclusion to close this bug, but I would probably call it INVALID instead of WONTFIX. Golang TLS actually does indicate support for RFC 5746 renegotiation_info in its ServerHello: https://github.com/golang/go/blob/go1.4.2/src/crypto/tls/handshake_server.go#L161 (If you wireshark on `openssl s_client -connect push.services.mozilla.com:443 -no_ssl2 -no_ssl3`, you can see the renegotiation_info in the ServerHello.) Seeing this, PSM appears to correctly infer that the server supports RFC 5746. At least, when I load "https://push.services.mozilla.com" in Nightly, I get no error. Perhaps the submitters could provide steps to reproduce? Or maybe it's been fixed (on either side) since the submission.
Flags: needinfo?(rlb)
(In reply to Richard Barnes [:rbarnes] from comment #7) > Perhaps the submitters could provide steps to reproduce? Or maybe it's been > fixed (on either side) since the submission. Fresh profile: 1) Start Up Firefox 2) Open the browser console 3) Click the Hello button, followed by "Get Started". => "push1.push.hello.firefox.com : server does not support RFC 5746, see CVE-2009-3555" If you then create a conversation and restart Firefox, you'll find the message reported to the console again a few seconds after startup.
Please note: We've since updated the version of golang running on the push servers which have included several TLS fixes. I am unable to reproduce this error using the above steps using Firefox 29 or 40. In addition, we are planning on rolling out a new server which uses a different platform. Doing a quick check on that platform also does not raise the issue. Please verify that this is an ongoing issue and reopen if required, but I believe that this bug has been overcome by events.
Product: Cloud Services → Cloud Services Graveyard
You need to log in before you can comment on or make changes to this bug.