SSL_ENABLE_EXTENDED_MASTER_SECRET is now available. We should turn it on.
Created attachment 8697414 [details] [diff] [review] Enable extended master secret
Assignee: nobody → VYV03354
Status: NEW → ASSIGNED
Attachment #8697414 - Flags: review?(dkeeler)
Comment on attachment 8697414 [details] [diff] [review] Enable extended master secret Review of attachment 8697414 [details] [diff] [review]: ----------------------------------------------------------------- r=me ::: security/manager/ssl/nsNSSComponent.cpp @@ +1078,5 @@ > SSL_OptionSetDefault(SSL_ENABLE_ALPN, > Preferences::GetBool("security.ssl.enable_alpn", > ALPN_ENABLED_DEFAULT)); > > + SSL_OptionSetDefault(SSL_ENABLE_EXTENDED_MASTER_SECRET, true); Let's actually put this with the safe negotiation/renegotiation options a few lines up.
Attachment #8697414 - Flags: review?(dkeeler) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/2767f381c592989277a68c7670eef919722b9f34 Bug 1224875 - Enable TLS extended master secret. r=keeler
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox45: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
This change appears to break a few sites with the error SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT. apps.reg.uga.edu appserver.lasalle.edu.co correo.uchile.cl
Is that enough to justify putting this behind a pref?
Why are other browsers unaffected? I thought Firefox was the last browser that implemented Extended Master Secret.
FWIW, the three sites in comment 5 all work fine in latest Chrome.
Also works with IE11/Edge, despite that MS15-121 introduced Extended Master Secret. It's the reason I'm asking the question.
I cant see why Chrome would succeed unless it was an extension ordering problem. Chrome includes two more extensions than we do and more cipher suites.
AAR, we should not continue discussion in a fixed bug. Filed bug 1243641.
Created attachment 8722936 [details] [diff] [review] backout patch Approval Request Comment [Feature/regressing bug #]: this bug [User impact if declined]: Users cannot connect some secure servers. [Describe test coverage new/current, TreeHerder]: no, backout [Risks and why]: extremely low. only revert changes to enables an options that had not been enabled. [String/UUID change made/needed]: none
Rather than backing this out, I would prefer to reorder the extensions as 1243641
Then bug 1243641 should be backported to NSS 3.22 (for Firefox 46) and 3.21 (for Firefox 45).
Comment on attachment 8722936 [details] [diff] [review] backout patch We (nss ml) agreed to take that for beta, the feature should be enabled for 46. Should be in 45 beta 10
Backed out from beta (45) in https://hg.mozilla.org/releases/mozilla-beta/rev/86b07e82b741 Unsure if the status flag should go to 'affected' or 'wontfix'...
status-firefox45: fixed → affected
status-firefox45: affected → disabled
status-firefox46: --- → fixed
You need to log in before you can comment on or make changes to this bug.