Closed
Bug 1083996
Opened 10 years ago
Closed 9 years ago
SSL Version Control rollbacks the min version on uninstall after Firefox update
Categories
(Firefox :: Extension Compatibility, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: emk, Unassigned)
References
Details
Steps to reproduce: 1. Install Nightly built in 2014-10-15 or earlier: https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014-10-15-03-02-02-mozilla-central/ 2. Make sure security.tls.version.min is set to 0 (default). 3. Install SSL Version Control: https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/ 4. Update Nightly from About Nightly. 5. Open about:config and confirm the security.tls.version.min value. Actual result: security.tls.version.min is set to the vulnerable old value (a.k.a. 0). Expected result: SSL Version Control should not restore the old version in this case. Mozilla recommends installing SSL Version Control as a workaround for v33 users, so this bug is significant. https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
Reporter | ||
Comment 1•10 years ago
|
||
Sorry, insert the following step between 4. and 5.: 4.1. Uninstall SSL Version Control.
Comment 2•10 years ago
|
||
(In reply to Masatoshi Kimura [:emk] from comment #1) > Sorry, insert the following step between 4. and 5.: > 4.1. Uninstall SSL Version Control. That's a critical step to omit :) I agree that this is a bug. The latest Nightly defaults to 1, and the add-on should restore the value to the default (not the value it was prior to installation). Richard, do you think that you could look at this?
Flags: needinfo?(rlb)
Reporter | ||
Comment 3•10 years ago
|
||
The add-on shouldn't restore the min version if it is lower than the default value.
Summary: SSL Version Control rollbacks the min version after Firefox update → SSL Version Control rollbacks the min version on uninstall after Firefox update
Reporter | ||
Comment 4•10 years ago
|
||
Or the add-on should reset security.tls.version.min to the default value if the (current) default is larger than ssl-version-control.old.security.tls.version.min.
Comment 5•10 years ago
|
||
I have uploaded version 0.3 to addons.mozilla.org, which should fix this issue. It should appear as soon as it is reviewed.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(rlb)
Resolution: --- → FIXED
Reporter | ||
Comment 7•10 years ago
|
||
SSL Version Control 0.3 still copies back the ols version blindly. https://addons.mozilla.org/en-US/firefox/files/browse/283134/file/bootstrap.js#L50
Reporter | ||
Updated•10 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Reporter | ||
Comment 8•10 years ago
|
||
Any progress? Firefox 34 is about to ship.
Comment 9•10 years ago
|
||
Richard, don't get fancy: void clearUserPref(in string aPrefName); https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIPrefBranch#clearUserPref%28%29 The current code is over-engineered.
Reporter | ||
Comment 10•9 years ago
|
||
I confirmed this with a release version of Firefox. Now the STR is: 1. Install Firefox 33.1.1 (or earlier). 2. Launch Firefox with a fresh profile. 3. Install SSL Version Control 0.3. 4. Update Firefox to 34. 5. Uninstall SSL Version Control. Actual result: SSL Version Control 0.3 rollbacks the "security.tls.version.min" pref to 0.
Reporter | ||
Comment 12•9 years ago
|
||
Fixed by SSL Version Control 0.4.
Status: REOPENED → RESOLVED
Closed: 10 years ago → 9 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Flags: needinfo?(rlb)
You need to log in
before you can comment on or make changes to this bug.
Description
•