Closed
Bug 1224875
Opened 9 years ago
Closed 5 years ago
Enable TLS extended master secret
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla45
People
(Reporter: mt, Assigned: emk)
References
Details
Attachments
(2 files)
1.12 KB,
patch
|
keeler
:
review+
|
Details | Diff | Splinter Review |
1.24 KB,
patch
|
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
SSL_ENABLE_EXTENDED_MASTER_SECRET is now available. We should turn it on.
Assignee | ||
Comment 1•9 years ago
|
||
Comment on attachment 8697414 [details] [diff] [review] Enable extended master secret Review of attachment 8697414 [details] [diff] [review]: ----------------------------------------------------------------- r=me ::: security/manager/ssl/nsNSSComponent.cpp @@ +1078,5 @@ > SSL_OptionSetDefault(SSL_ENABLE_ALPN, > Preferences::GetBool("security.ssl.enable_alpn", > ALPN_ENABLED_DEFAULT)); > > + SSL_OptionSetDefault(SSL_ENABLE_EXTENDED_MASTER_SECRET, true); Let's actually put this with the safe negotiation/renegotiation options a few lines up.
Attachment #8697414 -
Flags: review?(dkeeler) → review+
Assignee | ||
Comment 3•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/2767f381c592989277a68c7670eef919722b9f34 Bug 1224875 - Enable TLS extended master secret. r=keeler
Comment 4•9 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/2767f381c592
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox45:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
Comment 5•8 years ago
|
||
This change appears to break a few sites with the error SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT. apps.reg.uga.edu appserver.lasalle.edu.co correo.uchile.cl
Reporter | ||
Comment 6•8 years ago
|
||
Is that enough to justify putting this behind a pref?
Assignee | ||
Comment 7•8 years ago
|
||
Why are other browsers unaffected? I thought Firefox was the last browser that implemented Extended Master Secret.
Assignee | ||
Comment 9•8 years ago
|
||
Also works with IE11/Edge, despite that MS15-121 introduced Extended Master Secret. It's the reason I'm asking the question.
Reporter | ||
Comment 10•8 years ago
|
||
I cant see why Chrome would succeed unless it was an extension ordering problem. Chrome includes two more extensions than we do and more cipher suites.
Assignee | ||
Comment 11•8 years ago
|
||
AAR, we should not continue discussion in a fixed bug. Filed bug 1243641.
Assignee | ||
Comment 12•8 years ago
|
||
Approval Request Comment [Feature/regressing bug #]: this bug [User impact if declined]: Users cannot connect some secure servers. [Describe test coverage new/current, TreeHerder]: no, backout [Risks and why]: extremely low. only revert changes to enables an options that had not been enabled. [String/UUID change made/needed]: none
Attachment #8722936 -
Flags: approval-mozilla-beta?
Attachment #8722936 -
Flags: approval-mozilla-aurora?
Comment 13•8 years ago
|
||
Rather than backing this out, I would prefer to reorder the extensions as 1243641
Assignee | ||
Comment 14•8 years ago
|
||
Then bug 1243641 should be backported to NSS 3.22 (for Firefox 46) and 3.21 (for Firefox 45).
Comment 15•8 years ago
|
||
Comment on attachment 8722936 [details] [diff] [review] backout patch We (nss ml) agreed to take that for beta, the feature should be enabled for 46. Should be in 45 beta 10
Attachment #8722936 -
Flags: approval-mozilla-beta?
Attachment #8722936 -
Flags: approval-mozilla-beta+
Attachment #8722936 -
Flags: approval-mozilla-aurora?
Attachment #8722936 -
Flags: approval-mozilla-aurora+
Backed out from beta (45) in https://hg.mozilla.org/releases/mozilla-beta/rev/86b07e82b741 Unsure if the status flag should go to 'affected' or 'wontfix'...
Updated•8 years ago
|
status-firefox46:
--- → fixed
Comment 17•5 years ago
|
||
Looks like this one fell through the cracks. Are we ready to re-land this, now that bug 1243641 is fixed?
Status: RESOLVED → REOPENED
Flags: needinfo?(mt)
Resolution: FIXED → ---
Comment 18•5 years ago
|
||
Hmm, I see the flag enabled here: https://searchfox.org/mozilla-central/rev/3a61fb322f74a0396878468e50e4f4e97e369825/security/manager/ssl/nsNSSComponent.cpp#1744
Was this not backed out after all?
Comment 19•5 years ago
|
||
It was only backed out for Firefox 45 - there wasn't a backout on mozilla-central that I see, so 46 had it.
Status: REOPENED → RESOLVED
Closed: 9 years ago → 5 years ago
Flags: needinfo?(mt)
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•