Closed Bug 1027720 Opened 6 years ago Closed 6 years ago

Restrict HTTP/2 connections to AEAD ciphers only

Categories

(Core :: Networking: HTTP, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla34

People

(Reporter: u408661, Assigned: mcmanus)

References

Details

(Keywords: dev-doc-needed, Whiteboard: [spdy])

Attachments

(1 file, 1 obsolete file)

The spec now requires only AEAD ciphers. That requires some PSM plumbing before we can make the HTTP/2 code enforce that work.

Patrick, can you do the PSM plumbing bits? I think we just need to make sure that nsISSLStatus.cipherName is set when we get to ConfirmTLSProfile (and we may also need to make sure that we have access to an nsISSLStatus object at that point). It may be easier to just add another field to nsISSLSocketControl instead.
Whiteboard: [spdy] [http2release] → [spdy]
Attachment #8466450 - Flags: review?(hurley)
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED
Attachment #8466450 - Flags: review?(dkeeler)
Comment on attachment 8466450 [details] [diff] [review]
enforce h2 requirement that sever uses aead

Review of attachment 8466450 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM, but let's make sure we interop with this applied before landing. I'll give this a shot w/webtide after ensuring existing h2-14 stuff works with it (which will come once they re-enable it)
Attachment #8466450 - Flags: review?(hurley) → review+
fwiw I did test this live with twitter.com and h2-13
Good enough for me, then.
Comment on attachment 8466450 [details] [diff] [review]
enforce h2 requirement that sever uses aead

Review of attachment 8466450 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM.

::: netwerk/socket/nsISSLSocketControl.idl
@@ +82,5 @@
>      const short SSL_VERSION_UNKNOWN = -1;
>  
>      [infallible] readonly attribute short SSLVersionUsed;
> +
> +    /* These values match the NSS defined values */

Might be nice to include "in sslt.h"
Attachment #8466450 - Flags: review?(dkeeler) → review+
apparently clang has no problem with: nsISSLSocketControl::nsISSLSocketControl::SSL_MAC_AEAD  :)
Attachment #8466450 - Attachment is obsolete: true
Attachment #8467142 - Flags: review+
https://hg.mozilla.org/mozilla-central/rev/d023f02eecac
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Duplicate of this bug: 1055696
You need to log in before you can comment on or make changes to this bug.