Closed
Bug 1037098
Opened 11 years ago
Closed 11 years ago
Remove preferences for cipher suites disabled in bug 1036765 (Camellia and some 3DES & DSS cipher suites)
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla37
People
(Reporter: briansmith, Assigned: briansmith)
References
()
Details
Attachments
(1 file)
|
4.34 KB,
patch
|
keeler
:
review+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #1036765 +++
After we ship a release with the patches for bug 1036765, we should remove the preferences that had their default values set to false in that patch.
|
||
Comment 1•11 years ago
|
||
Removing Camellia means leaving users with no strong alternative to AES. Hence, in case of a security issue with AES there's no way to react quickly.
Removing support for 3DES is probably not a good idea either because there are still some IIS/6.0 systems out there that don't speak AES or Camellia.
I found this bug after noticing that Firefox 33 doesn't speak Camellia with my webserver anymore although I configured it as the preferred cipher in order to get away from the AES monotony a bit.
I'd prefer a more diverse set of cipher suites.
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → brian
|
|
Assignee | |
Updated•11 years ago
|
Target Milestone: mozilla35 → mozilla37
|
|
Assignee | |
Comment 2•11 years ago
|
||
Compare this to the patch for bug 1036765. This is the same process we used for the previous batch of cipher suite support removal.
Attachment #8532360 -
Flags: review?(dkeeler)
|
|
Assignee | |
Comment 3•11 years ago
|
||
(In reply to Thomas Peters from comment #1)
> Removing Camellia means leaving users with no strong alternative to AES.
> Hence, in case of a security issue with AES there's no way to react quickly.
>
> I'd prefer a more diverse set of cipher suites.
1. Currently, NSS doesn't support any ECDHE cipher suites for Camellia. See bug 940119 about rectifying that. That bug is blocked on my review; I'll try to get the review done sometime before the end of the year. That bug must be fixed before Camellia can be reconsidered; even then, I'm not sure Mozilla wants to enable any Camellia cipher suites.
2. It seems there is more support for adding ChaCha20-Poly1305 cipher suites; see bug 917571. I think the addition of the ChaCha20-Poly1305 cipher suites will address your concern about relying on AES too much.
Status: NEW → ASSIGNED
|
||
Updated•11 years ago
|
Attachment #8532360 -
Flags: review?(dkeeler) → review+
|
|
Assignee | |
Updated•11 years ago
|
Keywords: checkin-needed
|
|
Assignee | |
Comment 4•11 years ago
|
||
|
|
Assignee | |
Comment 5•11 years ago
|
||
|
|
Assignee | |
Comment 6•11 years ago
|
||
Keywords: checkin-needed
|
||
Comment 7•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•