Closed Bug 1268728 Opened 4 years ago Closed 4 years ago

Remove ability to enable RC4

Categories

(Core :: Security: PSM, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla50
Tracking Status
firefox50 --- fixed

People

(Reporter: emk, Assigned: emk)

References

Details

(Keywords: dev-doc-complete, site-compat, Whiteboard: [psm-assigned])

Attachments

(2 files, 1 obsolete file)

Attached patch rm_rc4_pref (obsolete) — Splinter Review
Chrome 53 will remove a Group Policy setting to re-enable RC4. The expected release date of Chrome 53 is earlier than Firefox 49.

I left some dead code in case we have to backout the change.

Try run: https://treeherder.mozilla.org/#/jobs?repo=try&revision=2a6f842b701a
Attachment #8746864 - Flags: review?(dkeeler)
Comment on attachment 8746864 [details] [diff] [review]
rm_rc4_pref

Review of attachment 8746864 [details] [diff] [review]:
-----------------------------------------------------------------

This looks good, but I think we should delay this until 50. Also, what's the Chrome bug on removing the group policy?

::: security/manager/ssl/nsNSSComponent.cpp
@@ -1112,5 @@
> -   TLS_RSA_WITH_RC4_128_SHA, true, true }, // deprecated (RSA key exchange, RC4)
> - { "security.ssl3.rsa_rc4_128_md5",
> -   TLS_RSA_WITH_RC4_128_MD5, true, true }, // deprecated (RSA key exchange, RC4, HMAC-MD5)
> -
> - // All the rest are disabled by default

nit: let's keep this comment
Attachment #8746864 - Flags: review?(dkeeler) → review+
(In reply to David Keeler [:keeler] (use needinfo?) from comment #1)
> This looks good, but I think we should delay this until 50.

OK.

> Also, what's the
> Chrome bug on removing the group policy?

Chrome already embedded the supported version range when they landed RC4-deprecate patch:
https://chromium.googlesource.com/chromium/src.git/+/14b1a53362ffb727e02bdf27e24e93c5f9b2d423%5E!/#F3
Their infrastructure will automatically kill the "RC4Enabled" policy when the Chromium version goes beyond 52. No explicit removal patch is needed.

> ::: security/manager/ssl/nsNSSComponent.cpp
> > - // All the rest are disabled by default
> 
> nit: let's keep this comment

I didn't restore the "by default" part because there is no way to enable unlisted cipher suites.
Attachment #8746864 - Attachment is obsolete: true
Attachment #8747958 - Flags: review+
Target Milestone: --- → mozilla50
Version: 46 Branch → unspecified
Assignee: nobody → VYV03354
Whiteboard: [psm-assigned]
Attached patch rebased to tipSplinter Review
I stopped to remove test_weak_crypto.js because bug 1113974 will reuse it very soon.
Attachment #8760678 - Flags: review+
https://hg.mozilla.org/mozilla-central/rev/7afaa7546076
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Posted the site compatibility doc, since I've seen some users on SUMO who are confused with this change: https://www.fxsitecompat.com/en-CA/docs/2016/rc4-support-has-been-completely-removed/
Noted on Firefox 50 for developers.
You need to log in before you can comment on or make changes to this bug.