Closed
Bug 1127285
Opened 9 years ago
Closed 9 years ago
Remove unneeded insecure fallback reasons
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla38
Tracking | Status | |
---|---|---|
firefox38 | --- | fixed |
People
(Reporter: emk, Assigned: emk)
Details
Attachments
(1 file, 1 obsolete file)
1.50 KB,
patch
|
keeler
:
review+
|
Details | Diff | Splinter Review |
Accroding to the Telemetry data [1], we could remove following errors from fallback reasons: SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE SSL_ERROR_BAD_SERVER SSL_ERROR_BAD_BLOCK_PADDING SSL_ERROR_UNSUPPORTED_VERSION (already removed by bug 1102632) SSL_ERROR_RX_MALFORMED_FINISHED SSL_ERROR_RX_UNKNOWN_ALERT Also, accroding to bug 1084025 comment #99, only one of ~211k sites failed with PR_CONNECT_RESET_ERROR due to intolerance. We should consider removing PR_CONNECT_RESET_ERROR from fallback reasons. It will reduce accidental fallbacks due to network glitches. [1] https://telemetry.mozilla.org/#filter=release%2F35%2FSSL_TLS12_INTOLERANCE_REASON_POST 1 1.82k SSL_ERROR_BAD_MAC_ALERT 2 20.17k SSL_ERROR_BAD_MAC_READ 3 5.49k SSL_ERROR_HANDSHAKE_FAILURE_ALERT 4 194.82k SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT 5 0 SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE 6 489 SSL_ERROR_ILLEGAL_PARAMETER_ALERT 7 872.96k SSL_ERROR_NO_CYPHER_OVERLAP 8 0 SSL_ERROR_BAD_SERVER 9 0 SSL_ERROR_BAD_BLOCK_PADDING 10 0 SSL_ERROR_UNSUPPORTED_VERSION 11 31.05k SSL_ERROR_PROTOCOL_VERSION_ALERT 12 0 SSL_ERROR_RX_MALFORMED_FINISHED 13 14 SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE 14 463 SSL_ERROR_DECODE_ERROR_ALERT 15 0 SSL_ERROR_RX_UNKNOWN_ALERT 16 2.64M PR_CONNECT_RESET_ERROR 17 26.8M PR_END_OF_FILE_ERROR
Assignee | ||
Comment 1•9 years ago
|
||
Attachment #8556805 -
Flags: review?(dkeeler)
Assignee | ||
Comment 2•9 years ago
|
||
Attachment #8556806 -
Flags: review?(dkeeler)
Assignee | ||
Comment 4•9 years ago
|
||
Oops, wrong bug number.
Comment on attachment 8556805 [details] [diff] [review] Part 1: Remove unused fallback reasons Review of attachment 8556805 [details] [diff] [review]: ----------------------------------------------------------------- Seems reasonable. To be clear for posterity, this patch doesn't remove SSL_ERROR_UNSUPPORTED_VERSION, and bug 1102632 (where it had been removed) has been backed out.
Attachment #8556805 -
Flags: review?(dkeeler) → review+
Comment on attachment 8556806 [details] [diff] [review] Part 2: Whitelist PR_CONNECT_RESET_ERROR as a fallback reason Review of attachment 8556806 [details] [diff] [review]: ----------------------------------------------------------------- Again, seems reasonable, but these changes should be in two other bugs: one for the changes to the insecure_fallback_hosts pref and another for the changes to how PR_CONNECT_RESET_ERROR is handled. ::: netwerk/base/security-prefs.js @@ +15,4 @@ > # bug 1126652, www.animate-onlineshop.jp > # bug 1126654, www.gamers-onlineshop.jp > +# bug 1127611, www.utahbar.org > +pref("security.tls.insecure_fallback_hosts", "www.kredodirect.com.ua,web3.secureinternetbank.com,cmypage.kuronekoyamato.co.jp,www.timewarnercable.com,wayfarer.timewarnercable.com,airportwifi.com,cart.pcpitstop.com,books.wwnorton.com,emaildvla.direct.gov.uk,www.gosignmeup.com,m.getawaytoday.com,cualerts.dupaco.com,www.animate-onlineshop.jp,www.gamers-onlineshop.jp,www.utahbar.org"); These changes should happen in a separate bug. ::: security/manager/ssl/src/nsNSSIOLayer.cpp @@ +1223,5 @@ > > return false; > } > + > + // Allow PR_CONNECT_RESET_ERROR only for whitelisted sites. These changes should happen in yet another, separate bug.
Attachment #8556806 -
Flags: review?(dkeeler) → review-
Assignee | ||
Comment 7•9 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #6) > Again, seems reasonable, but these changes should be in two other bugs: one > for the changes to the insecure_fallback_hosts pref and another for the > changes to how PR_CONNECT_RESET_ERROR is handled. OK, moved to bug 1128763.
No longer depends on: 1116891
Assignee | ||
Updated•9 years ago
|
Attachment #8556806 -
Attachment is obsolete: true
Assignee | ||
Comment 8•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=84c5bfb407f9 https://hg.mozilla.org/integration/mozilla-inbound/rev/7509bf974fbc
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → VYV03354
Status: NEW → ASSIGNED
https://hg.mozilla.org/mozilla-central/rev/7509bf974fbc
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox38:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in
before you can comment on or make changes to this bug.
Description
•