Open
Bug 1102632
Opened 10 years ago
Updated 2 years ago
Remove SSL_ERROR_UNSUPPORTED_VERSION from insecure-fallback-enabled error code list
Categories
(Core :: Security: PSM, defect, P5)
Core
Security: PSM
Tracking
()
REOPENED
| Tracking | Status | |
|---|---|---|
| firefox35 | --- | unaffected |
| firefox36 | --- | unaffected |
| firefox37 | + | wontfix |
| firefox38 | + | disabled |
People
(Reporter: emk, Assigned: emk)
Details
(Whiteboard: [psm-assigned])
Attachments
(2 files)
|
1.28 KB,
patch
|
keeler
:
review+
|
Details | Diff | Splinter Review |
|
1.29 KB,
patch
|
lmandel
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
Before bug 1084986: We disables SSLv2, so NSS will never return this error. After bug 1084986: If NSS returns this error, it means that the server sent back a ServerHello message with a negotiated version. The server didn't disconnect abruptly, it didn't send an alert. In other words, the server negotiated the version securely. Therefore it's a waste of time to fallback with lower max versions.
|
Assignee | |
Comment 1•10 years ago
|
||
Comment on attachment 8526740 [details] [diff] [review] Stop triggering non-secure fallback for SSL_ERROR_UNSUPPORTED_VERSION Review of attachment 8526740 [details] [diff] [review]: ----------------------------------------------------------------- OK - seems reasonable. Let's monitor telemetry after bug 1084986 to make sure we're not encountering this error in this code (if the 0 bucket starts collecting hits, it'll probably be because of this).
Attachment #8526740 -
Flags: review?(dkeeler) → review+
|
|
Assignee | |
Comment 3•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/3d4d4a91f29a
|
||
Comment 4•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/3d4d4a91f29a
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
|
|
Assignee | |
Comment 5•9 years ago
|
||
Backed out because 111 of 561 sites couldn't connect without this fallback reason. https://hg.mozilla.org/integration/mozilla-inbound/rev/76ac4c3323a9 My assumption in comment #0 was wrong :(
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Comment 6•9 years ago
|
||
> 111 of 561 sites The list of 561 sites is bug 1084025 comment #96.
|
|
Assignee | |
Comment 7•9 years ago
|
||
Approval Request Comment [Feature/regressing bug #]: 1102632 (this bug) [User impact if declined]: Users can no longer connect some sites without enabling SSLv3. [Describe test coverage new/current, TreeHerder]: Manually tested [Risks and why]: Very low. Just a backout of one line removal. [String/UUID change made/needed]: none
Attachment #8557473 -
Flags: approval-mozilla-aurora?
|
||
Comment 8•9 years ago
|
||
Comment on attachment 8557473 [details] [diff] [review] backout patch Aurora+ for the backout.
Attachment #8557473 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Comment 9•9 years ago
|
||
I take it that this needs to be backed out of 38 as well. Can you please confirm?
status-firefox35:
--- → unaffected
status-firefox36:
--- → unaffected
status-firefox37:
--- → affected
status-firefox38:
--- → affected
tracking-firefox37:
--- → +
tracking-firefox38:
--- → +
Flags: needinfo?(VYV03354)
|
|
Assignee | |
Comment 10•9 years ago
|
||
Already backed out from Nightly (38): https://hg.mozilla.org/mozilla-central/rev/76ac4c3323a9
Flags: needinfo?(VYV03354)
|
||
Comment 11•9 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/7e4e593cd4d7
Target Milestone: mozilla37 → ---
:emk - is this a wontfix? Or are we going to move forward with this in the future?
Flags: needinfo?(VYV03354)
|
|
Assignee | |
Comment 13•8 years ago
|
||
I consider to add telemetry to check what intolerance reason is used for a successful fallback connection to find unused intolerance reason.
Flags: needinfo?(VYV03354)
Whiteboard: [psm-assigned]
P1 because this is assigned.
Priority: -- → P1
|
||
Updated•7 years ago
|
Priority: P1 → P5
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•