Restrict HTTP/2 connections to AEAD ciphers only

RESOLVED FIXED in mozilla34

Status

()

defect
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: u408661, Assigned: mcmanus)

Tracking

({dev-doc-needed})

unspecified
mozilla34
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [spdy])

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

5 years ago
The spec now requires only AEAD ciphers. That requires some PSM plumbing before we can make the HTTP/2 code enforce that work.

Patrick, can you do the PSM plumbing bits? I think we just need to make sure that nsISSLStatus.cipherName is set when we get to ConfirmTLSProfile (and we may also need to make sure that we have access to an nsISSLStatus object at that point). It may be easier to just add another field to nsISSLSocketControl instead.
(Assignee)

Updated

5 years ago
Whiteboard: [spdy] [http2release] → [spdy]
(Assignee)

Comment 1

5 years ago
Attachment #8466450 - Flags: review?(hurley)
(Assignee)

Updated

5 years ago
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED
(Assignee)

Updated

5 years ago
Attachment #8466450 - Flags: review?(dkeeler)
(Reporter)

Comment 2

5 years ago
Comment on attachment 8466450 [details] [diff] [review]
enforce h2 requirement that sever uses aead

Review of attachment 8466450 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM, but let's make sure we interop with this applied before landing. I'll give this a shot w/webtide after ensuring existing h2-14 stuff works with it (which will come once they re-enable it)
Attachment #8466450 - Flags: review?(hurley) → review+
(Assignee)

Comment 3

5 years ago
fwiw I did test this live with twitter.com and h2-13
(Reporter)

Comment 4

5 years ago
Good enough for me, then.
Comment on attachment 8466450 [details] [diff] [review]
enforce h2 requirement that sever uses aead

Review of attachment 8466450 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM.

::: netwerk/socket/nsISSLSocketControl.idl
@@ +82,5 @@
>      const short SSL_VERSION_UNKNOWN = -1;
>  
>      [infallible] readonly attribute short SSLVersionUsed;
> +
> +    /* These values match the NSS defined values */

Might be nice to include "in sslt.h"
Attachment #8466450 - Flags: review?(dkeeler) → review+
(Assignee)

Comment 9

5 years ago
apparently clang has no problem with: nsISSLSocketControl::nsISSLSocketControl::SSL_MAC_AEAD  :)
(Assignee)

Updated

5 years ago
Attachment #8466450 - Attachment is obsolete: true
(Assignee)

Updated

5 years ago
Attachment #8467142 - Flags: review+
https://hg.mozilla.org/mozilla-central/rev/d023f02eecac
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
(Reporter)

Updated

5 years ago
Duplicate of this bug: 1055696
You need to log in before you can comment on or make changes to this bug.