Remove SSL_ERROR_UNSUPPORTED_VERSION from insecure-fallback-enabled error code list

REOPENED
Assigned to

Status

()

P5
normal
REOPENED
4 years ago
11 months ago

People

(Reporter: emk, Assigned: emk)

Tracking

unspecified
Points:
---

Firefox Tracking Flags

(firefox35 unaffected, firefox36 unaffected, firefox37+ wontfix, firefox38+ disabled)

Details

(Whiteboard: [psm-assigned])

Attachments

(2 attachments)

(Assignee)

Description

4 years ago
Before bug 1084986:
We disables SSLv2, so NSS will never return this error.

After bug 1084986:
If NSS returns this error, it means that the server sent back a ServerHello message with a negotiated version.
The server didn't disconnect abruptly, it didn't send an alert. In other words, the server negotiated the version securely.
Therefore it's a waste of time to fallback with lower max versions.
(Assignee)

Comment 1

4 years ago
Created attachment 8526740 [details] [diff] [review]
Stop triggering non-secure fallback for SSL_ERROR_UNSUPPORTED_VERSION
Assignee: nobody → VYV03354
Status: NEW → ASSIGNED
Attachment #8526740 - Flags: review?(dkeeler)
Comment on attachment 8526740 [details] [diff] [review]
Stop triggering non-secure fallback for SSL_ERROR_UNSUPPORTED_VERSION

Review of attachment 8526740 [details] [diff] [review]:
-----------------------------------------------------------------

OK - seems reasonable. Let's monitor telemetry after bug 1084986 to make sure we're not encountering this error in this code (if the 0 bucket starts collecting hits, it'll probably be because of this).
Attachment #8526740 - Flags: review?(dkeeler) → review+
https://hg.mozilla.org/mozilla-central/rev/3d4d4a91f29a
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
(Assignee)

Comment 5

4 years ago
Backed out because 111 of 561 sites couldn't connect without this fallback reason.
https://hg.mozilla.org/integration/mozilla-inbound/rev/76ac4c3323a9
My assumption in comment #0 was wrong :(
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 6

4 years ago
> 111 of 561 sites
The list of 561 sites is bug 1084025 comment #96.
(Assignee)

Comment 7

4 years ago
Created attachment 8557473 [details] [diff] [review]
backout patch

Approval Request Comment
[Feature/regressing bug #]: 1102632 (this bug)
[User impact if declined]: Users can no longer connect some sites without enabling SSLv3.
[Describe test coverage new/current, TreeHerder]: Manually tested
[Risks and why]: Very low. Just a backout of one line removal.
[String/UUID change made/needed]: none
Attachment #8557473 - Flags: approval-mozilla-aurora?
Comment on attachment 8557473 [details] [diff] [review]
backout patch

Aurora+ for the backout.
Attachment #8557473 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
I take it that this needs to be backed out of 38 as well. Can you please confirm?
status-firefox35: --- → unaffected
status-firefox36: --- → unaffected
status-firefox37: --- → affected
status-firefox38: --- → affected
tracking-firefox37: --- → +
tracking-firefox38: --- → +
Flags: needinfo?(VYV03354)
(Assignee)

Comment 10

4 years ago
Already backed out from Nightly (38):
https://hg.mozilla.org/mozilla-central/rev/76ac4c3323a9
status-firefox38: affected → disabled
Flags: needinfo?(VYV03354)
https://hg.mozilla.org/releases/mozilla-aurora/rev/7e4e593cd4d7
status-firefox37: affected → wontfix
Target Milestone: mozilla37 → ---
:emk - is this a wontfix? Or are we going to move forward with this in the future?
Flags: needinfo?(VYV03354)
(Assignee)

Comment 13

2 years ago
I consider to add telemetry to check what intolerance reason is used for a successful fallback connection to find unused intolerance reason.
Flags: needinfo?(VYV03354)
Whiteboard: [psm-assigned]
P1 because this is assigned.
Priority: -- → P1

Updated

11 months ago
Priority: P1 → P5
You need to log in before you can comment on or make changes to this bug.