Closed Bug 1083996 Opened 5 years ago Closed 5 years ago
SSL Version Control rollbacks the min version on uninstall after Firefox update
Steps to reproduce: 1. Install Nightly built in 2014-10-15 or earlier: https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014-10-15-03-02-02-mozilla-central/ 2. Make sure security.tls.version.min is set to 0 (default). 3. Install SSL Version Control: https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/ 4. Update Nightly from About Nightly. 5. Open about:config and confirm the security.tls.version.min value. Actual result: security.tls.version.min is set to the vulnerable old value (a.k.a. 0). Expected result: SSL Version Control should not restore the old version in this case. Mozilla recommends installing SSL Version Control as a workaround for v33 users, so this bug is significant. https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
Sorry, insert the following step between 4. and 5.: 4.1. Uninstall SSL Version Control.
(In reply to Masatoshi Kimura [:emk] from comment #1) > Sorry, insert the following step between 4. and 5.: > 4.1. Uninstall SSL Version Control. That's a critical step to omit :) I agree that this is a bug. The latest Nightly defaults to 1, and the add-on should restore the value to the default (not the value it was prior to installation). Richard, do you think that you could look at this?
The add-on shouldn't restore the min version if it is lower than the default value.
Summary: SSL Version Control rollbacks the min version after Firefox update → SSL Version Control rollbacks the min version on uninstall after Firefox update
Or the add-on should reset security.tls.version.min to the default value if the (current) default is larger than ssl-version-control.old.security.tls.version.min.
I have uploaded version 0.3 to addons.mozilla.org, which should fix this issue. It should appear as soon as it is reviewed.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
The problem was not fixed.
SSL Version Control 0.3 still copies back the ols version blindly. https://addons.mozilla.org/en-US/firefox/files/browse/283134/file/bootstrap.js#L50
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Any progress? Firefox 34 is about to ship.
Richard, don't get fancy: void clearUserPref(in string aPrefName); https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIPrefBranch#clearUserPref%28%29 The current code is over-engineered.
I confirmed this with a release version of Firefox. Now the STR is: 1. Install Firefox 33.1.1 (or earlier). 2. Launch Firefox with a fresh profile. 3. Install SSL Version Control 0.3. 4. Update Firefox to 34. 5. Uninstall SSL Version Control. Actual result: SSL Version Control 0.3 rollbacks the "security.tls.version.min" pref to 0.
Fixed by SSL Version Control 0.4.
Status: REOPENED → RESOLVED
Closed: 5 years ago → 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.