Closed Bug 1127285 Opened 9 years ago Closed 9 years ago

Remove unneeded insecure fallback reasons

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38
Tracking Flags:
Tracking Status
firefox38 --- fixed

People

(Reporter: emk, Assigned: emk)

Details

Attachments

(1 file, 1 obsolete file)

Part 1: Remove unused fallback reasons
1.50 KB, patch
keeler
: review+
Details | Diff | Splinter Review 
Accroding to the Telemetry data [1], we could remove following errors from fallback reasons:
SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE
SSL_ERROR_BAD_SERVER
SSL_ERROR_BAD_BLOCK_PADDING
SSL_ERROR_UNSUPPORTED_VERSION (already removed by bug 1102632)
SSL_ERROR_RX_MALFORMED_FINISHED
SSL_ERROR_RX_UNKNOWN_ALERT

Also, accroding to bug 1084025 comment #99, only one of ~211k sites failed with PR_CONNECT_RESET_ERROR due to intolerance. We should consider removing PR_CONNECT_RESET_ERROR from fallback reasons. It will reduce accidental fallbacks due to network glitches.

[1] https://telemetry.mozilla.org/#filter=release%2F35%2FSSL_TLS12_INTOLERANCE_REASON_POST
1	1.82k	SSL_ERROR_BAD_MAC_ALERT
2	20.17k	SSL_ERROR_BAD_MAC_READ
3	5.49k	SSL_ERROR_HANDSHAKE_FAILURE_ALERT
4	194.82k	SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT
5	0	SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE
6	489	SSL_ERROR_ILLEGAL_PARAMETER_ALERT
7	872.96k	SSL_ERROR_NO_CYPHER_OVERLAP
8	0	SSL_ERROR_BAD_SERVER
9	0	SSL_ERROR_BAD_BLOCK_PADDING
10	0	SSL_ERROR_UNSUPPORTED_VERSION
11	31.05k	SSL_ERROR_PROTOCOL_VERSION_ALERT
12	0	SSL_ERROR_RX_MALFORMED_FINISHED
13	14	SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE
14	463	SSL_ERROR_DECODE_ERROR_ALERT
15	0	SSL_ERROR_RX_UNKNOWN_ALERT
16	2.64M	PR_CONNECT_RESET_ERROR
17	26.8M	PR_END_OF_FILE_ERROR

        Attachment #8556805 -
        Flags: review?(dkeeler)

    
    

    
  
Part 2 depends on the patch from bug 1116892.
Depends on: 1116892

    
    

    
  
Oops, wrong bug number.
Depends on: 1116891
No longer depends on: 1116892

    
    

    
  
Comment on attachment 8556805 [details] [diff] [review]
Part 1: Remove unused fallback reasons

Review of attachment 8556805 [details] [diff] [review]:
-----------------------------------------------------------------

Seems reasonable. To be clear for posterity, this patch doesn't remove SSL_ERROR_UNSUPPORTED_VERSION, and bug 1102632 (where it had been removed) has been backed out.

        Attachment #8556805 -
        Flags: review?(dkeeler) → review+

    
    

    
  
Comment on attachment 8556806 [details] [diff] [review]
Part 2: Whitelist PR_CONNECT_RESET_ERROR as a fallback reason

Review of attachment 8556806 [details] [diff] [review]:
-----------------------------------------------------------------

Again, seems reasonable, but these changes should be in two other bugs: one for the changes to the insecure_fallback_hosts pref and another for the changes to how PR_CONNECT_RESET_ERROR is handled.

::: netwerk/base/security-prefs.js
@@ +15,4 @@
>  # bug 1126652, www.animate-onlineshop.jp
>  # bug 1126654, www.gamers-onlineshop.jp
> +# bug 1127611, www.utahbar.org
> +pref("security.tls.insecure_fallback_hosts", "www.kredodirect.com.ua,web3.secureinternetbank.com,cmypage.kuronekoyamato.co.jp,www.timewarnercable.com,wayfarer.timewarnercable.com,airportwifi.com,cart.pcpitstop.com,books.wwnorton.com,emaildvla.direct.gov.uk,www.gosignmeup.com,m.getawaytoday.com,cualerts.dupaco.com,www.animate-onlineshop.jp,www.gamers-onlineshop.jp,www.utahbar.org");

These changes should happen in a separate bug.

::: security/manager/ssl/src/nsNSSIOLayer.cpp
@@ +1223,5 @@
>  
>      return false;
>    }
> +
> +  // Allow PR_CONNECT_RESET_ERROR only for whitelisted sites.

These changes should happen in yet another, separate bug.

        Attachment #8556806 -
        Flags: review?(dkeeler) → review-

    
    

    
  
(In reply to David Keeler [:keeler] (use needinfo?) from comment #6)
> Again, seems reasonable, but these changes should be in two other bugs: one
> for the changes to the insecure_fallback_hosts pref and another for the
> changes to how PR_CONNECT_RESET_ERROR is handled.

OK, moved to bug 1128763.
No longer depends on: 1116891

    
  

        Attachment #8556806 -
        Attachment is obsolete: true

    
  
Assignee: nobody → VYV03354
Status: NEW → ASSIGNED

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/7509bf974fbc
Status: ASSIGNED → RESOLVED
Closed: 9 years ago

          status-firefox38:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla38

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: