Closed Bug 1083360 Opened 6 years ago Closed 6 years ago

support TLS_FALLBACK_SCSV in tstclnt and ssltap

Categories

(NSS :: Tools, defect)

3.17.1
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED
3.17.3

People

(Reporter: KaiE, Assigned: KaiE)

Details

Attachments

(2 files)

For testing purposes, I've been asked to add a preference to tstclnt, which can be used to force sending of the TLS_FALLBACK_SCSV.

Attached patch implements that.

In addition it includes a change for ssltap, which allows it to print it as text when seen.
Target Milestone: --- → 3.17.3
Attached patch Patch v1Splinter Review
Assignee: nobody → kaie
Attachment #8505638 - Flags: review?(martin.thomson)
Attachment #8505638 - Flags: review?(martin.thomson) → review+
I should point out that the SCSV will be forced as a result of this; it's not going to be selectively on.  That means that it will appear for a TLS 1.2 handshake.  I think that's exactly the right thing here.
@Martin: Yes, we need to be able to force it with any version, to test if a server turns out to be intolerant to some future version of TLS, it will handle correctly a TLS1.2 with this SCSV.

@Kai: The patch is missing an update to the -help message
Attachment #8506355 - Flags: review?(martin.thomson)
Comment on attachment 8506355 [details] [diff] [review]
Help message Patch

(In reply to Hubert Kario from comment #3)
> @Kai: The patch is missing an update to the -help message

This additional patch adds it.
Attachment #8506355 - Flags: review?(martin.thomson) → review+
https://hg.mozilla.org/projects/nss/rev/34baf87d485d
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: 3.17.3 → 3.18
Target Milestone: 3.18 → 3.17.3
You need to log in before you can comment on or make changes to this bug.