1105551 - Firefox still sends TLS tickets after they were turned off.

Status: RESOLVED INVALID

(Core :: Security, defect)

Description

[dansmith]

Attachment: tlsticket.png

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141013200257

Steps to reproduce:

My Firefox installation has security.enable_tls_session_tickets set to false, however
Wireshark reveals that Firefox still sends a TLS ticket (see the attached wireshark screenshot).

There can be no mistake that this TLS connection was initiated by my FF.
My custom preferences use only TLSv1 and I enabled only 4 ciphersuites. (I confirmed this in wreshark).
Besides I'm using NSSKEYLOGFILE to decrypt HTTPS and as you can see on the screenshot it is indeed decrypted.

P.S.
My Firefox installation uses a bundled add-on placed in distribution/bundles folder
This addon has defaults/preferences/defaults.js overrides and one of them is:
pref("security.enable_tls_session_tickets",false);
So, my FF's about:config shows:
security.enable_tls_session_tickets;false Status:default
In a stock FF installation the default value is true.
Even though unlikely, it may be that my bundled addon confuses FF and it still thinks
that the preference is set to true.

Comment 1

[:Gijs (he/him)]

This pref was around in Firefox 24:

http://mxr.mozilla.org/mozilla-esr24/search?string=tls_session&find=&findi=&filter=^[^\0]*%24&hitlimit=&tree=mozilla-esr24

but hasn't been since somewhere between then and 31:

http://mxr.mozilla.org/mozilla-esr31/search?string=tls_session&find=&findi=&filter=^[^\0]*%24&hitlimit=&tree=mozilla-esr31

Considering the preference doesn't exist, I'm marking this invalid.

Comment 2

[:Gijs (he/him)]

Some archaeology shows the pref was removed by bug 917049 for Firefox 27. From Firefox 35 (currently labeled "dev edition", to become beta next week, we've started supporting a different pref. See bug 967977 for details. You want to set security.ssl.disable_session_identifiers to true and run 35 or later.