Closed
Bug 1027720
Opened 10 years ago
Closed 10 years ago
Restrict HTTP/2 connections to AEAD ciphers only
Categories
(Core :: Networking: HTTP, defect)
Core
Networking: HTTP
Tracking
()
RESOLVED
FIXED
mozilla34
People
(Reporter: u408661, Assigned: mcmanus)
References
Details
(Keywords: dev-doc-needed, Whiteboard: [spdy])
Attachments
(1 file, 1 obsolete file)
|
6.28 KB,
patch
|
mcmanus
:
review+
|
Details | Diff | Splinter Review |
The spec now requires only AEAD ciphers. That requires some PSM plumbing before we can make the HTTP/2 code enforce that work.
Patrick, can you do the PSM plumbing bits? I think we just need to make sure that nsISSLStatus.cipherName is set when we get to ConfirmTLSProfile (and we may also need to make sure that we have access to an nsISSLStatus object at that point). It may be easier to just add another field to nsISSLSocketControl instead.
|
Assignee | |
Updated•10 years ago
|
Whiteboard: [spdy] [http2release] → [spdy]
|
|
Assignee | |
Comment 1•10 years ago
|
||
Attachment #8466450 -
Flags: review?(hurley)
|
|
Assignee | |
Updated•10 years ago
|
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•10 years ago
|
Attachment #8466450 -
Flags: review?(dkeeler)
Comment on attachment 8466450 [details] [diff] [review]
enforce h2 requirement that sever uses aead
Review of attachment 8466450 [details] [diff] [review]:
-----------------------------------------------------------------
LGTM, but let's make sure we interop with this applied before landing. I'll give this a shot w/webtide after ensuring existing h2-14 stuff works with it (which will come once they re-enable it)
Attachment #8466450 -
Flags: review?(hurley) → review+
|
|
Assignee | |
Comment 3•10 years ago
|
||
fwiw I did test this live with twitter.com and h2-13
|
||
Comment 5•10 years ago
|
||
Comment on attachment 8466450 [details] [diff] [review]
enforce h2 requirement that sever uses aead
Review of attachment 8466450 [details] [diff] [review]:
-----------------------------------------------------------------
LGTM.
::: netwerk/socket/nsISSLSocketControl.idl
@@ +82,5 @@
> const short SSL_VERSION_UNKNOWN = -1;
>
> [infallible] readonly attribute short SSLVersionUsed;
> +
> + /* These values match the NSS defined values */
Might be nice to include "in sslt.h"
Attachment #8466450 -
Flags: review?(dkeeler) → review+
|
|
Assignee | |
Comment 6•10 years ago
|
||
|
|
Assignee | |
Comment 7•10 years ago
|
||
|
||
Comment 8•10 years ago
|
||
Backed out for build failures:
https://tbpl.mozilla.org/php/getParsedLog.php?id=45174214&tree=Mozilla-Inbound
remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/0324cae16300
|
|
Assignee | |
Comment 9•10 years ago
|
||
apparently clang has no problem with: nsISSLSocketControl::nsISSLSocketControl::SSL_MAC_AEAD :)
|
|
Assignee | |
Comment 10•10 years ago
|
||
|
|
Assignee | |
Comment 11•10 years ago
|
||
|
|
Assignee | |
Updated•10 years ago
|
Attachment #8466450 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•10 years ago
|
Attachment #8467142 -
Flags: review+
|
|
Assignee | |
Comment 12•10 years ago
|
||
|
|
||
Comment 13•10 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
|
||
Updated•10 years ago
|
Keywords: dev-doc-needed
You need to log in
before you can comment on or make changes to this bug.
Description
•