Closed
Bug 1134437
Opened 9 years ago
Closed 9 years ago
Delay move to PFS cipher suites
Categories
(Core :: WebRTC: Networking, defect)
Tracking
()
RESOLVED
FIXED
mozilla37
| Tracking | Status | |
|---|---|---|
| firefox36 | --- | unaffected |
| firefox37 | + | fixed |
| firefox38 | --- | wontfix |
People
(Reporter: msander, Assigned: mt)
References
Details
Attachments
(1 file, 1 obsolete file)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36 Steps to reproduce: The move to support only PFS cipher suites in Fx 37 will cause interoperability problems for 0penTok mobile clients using older versions of webrtc.org code. In addition to supporting browsers like FireFox and Chrome, we also have a number of partners who use WebRTC using native applications built on top of native mobile SDKs. These applications routinely rely on interoperability with browsers as part of their use-case. The versions of mobile SDKs out in the wild are built on top of the webrtc.org code-base that is unable to do ECDHE suites and in turn cause interoperaibility issues when FF is not able to act as a server for DHE suites. Both FF37 and Chrome interoperability has been resolved by a) https://bugzilla.mozilla.org/show_bug.cgi?id=1052610 and b) https://code.google.com/p/chromium/issues/detail?id=406458 respectively. We are in the process of updating our mobile SDKs to support using PFS cipher suites but it usually takes more than 6 weeks for the average mobile application update cycle. As it stands today, interoperability with FireFox 37 will be broken once FF37 moves to production - https://wiki.mozilla.org/RapidRelease/Calendar#Future_branch_dates. We were wondering if support for non-PFS ciphers can be enabled in FF37 and PFS support pushed to FF38. This would help increase the percentage of end-users using mobile applications to receive the update in time to prevent interoperability issues with FireFox when FF38 lands into production.
|
||
Comment 1•9 years ago
|
||
Tagging EKR and Brad, since they've given this some thought.
Flags: needinfo?(ekr)
Flags: needinfo?(blassey.bugs)
OS: Mac OS X → All
Hardware: x86 → All
|
||
Comment 2•9 years ago
|
||
My interest is in not delaying the transition to PFS-only indefinitely. If we land https://bugzilla.mozilla.org/show_bug.cgi?id=102794 will there be any objection to turning this on?
Flags: needinfo?(ekr)
|
||
Comment 3•9 years ago
|
||
I am OK with pushing this off to 38, but not any further than that (it is an ESR release).
Flags: needinfo?(blassey.bugs)
|
||
Comment 4•9 years ago
|
||
Martin -- Would you have time to write a patch for this bug (to delay enforcing cipher suites in Fx37 only)? I'm copying Richard who I'm hoping has the time to review such a patch when it's ready. FYI: Fx37 uplifts to Beta next week, and I believe Beta-build1 "goes to build" on Tuesday/Wednesday. We don't have to land this in time for build1 of Beta (this isn't a fire drill), but it would be nice.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(martin.thomson)
Delaying this until Fx38 will be really helpful, thank you.
|
Assignee | |
Comment 6•9 years ago
|
||
I'm going to re-enable both TLS 1.2 and the static RSA cipher suites in Aurora only. https://treeherder.mozilla.org/#/jobs?repo=try&revision=f388153986c8 https://reviewboard.mozilla.org/r/4053
Flags: needinfo?(martin.thomson)
|
|
Assignee | |
Comment 7•9 years ago
|
||
/r/4055 - Bug 1134437 - Enable TLS 1.2 and static RSA ciphersuites, r=abr Pull down this commit: hg pull review -r 725160562d1deaf20750dca18ab27cccda32390f
Attachment #8566878 -
Flags: review?(adam)
|
|
||
Comment 8•9 years ago
|
||
https://reviewboard.mozilla.org/r/4055/#review3255 To the extent that I understand the problem, this appears to address it. I'm not an expert on the suites that we're re-enabling, but trust that Martin got that part right.
|
|
||
Updated•9 years ago
|
Attachment #8566878 -
Flags: review?(adam) → review+
|
|
Assignee | |
Comment 9•9 years ago
|
||
Comment on attachment 8566878 [details] MozReview Request: bz://1134437/mt Approval Request Comment [Feature/regressing bug #]: bug 1052610 [User impact if declined]: some WebRTC applications will not interoperate with Firefox, we've been asked to give them a little more time to update [Describe test coverage new/current, TreeHerder]: TBPL and unit tests are OK with this; the area has good automated coverage [Risks and why]: only that this is no longer considered "good" crypto [String/UUID change made/needed]: none Note: aurora/37 only please, we don't want this in 38
Attachment #8566878 -
Flags: approval-mozilla-aurora?
|
||
Updated•9 years ago
|
status-firefox36:
--- → unaffected
status-firefox37:
--- → affected
status-firefox38:
--- → wontfix
tracking-firefox37:
--- → +
|
|
||
Comment 10•9 years ago
|
||
Comment on attachment 8566878 [details]
MozReview Request: bz://1134437/mt
OK. Let's defer the security change to 38 and re-enable TLS 1.2 and static RSA ciphersuites in 37. Aurora+
Attachment #8566878 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
Assignee | |
Comment 11•9 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/366436d0a508
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Updated•9 years ago
|
|
||
Updated•9 years ago
|
Assignee: nobody → martin.thomson
Target Milestone: --- → mozilla37
|
|
||
Comment 12•9 years ago
|
||
Hi Michael -- The patch for this has now landed on Aurora (Fx37) and should be in the Aurora Nightly build tomorrow (Feb 21). Can you help us test this and verify that this patch works as expected for you? Thanks.
Flags: needinfo?(msander)
|
Reporter | |
Comment 13•9 years ago
|
||
Yes, I'll let you know.
|
|
Assignee | |
Comment 15•9 years ago
|
||
Attachment #8566878 -
Attachment is obsolete: true
Attachment #8619520 -
Flags: review+
|
|
Assignee | |
Comment 16•9 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•