Closed Bug 1290037 Opened 9 years ago Closed 9 years ago

Update minimum keybits in H2

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla51
Tracking Flags:
Tracking Status
firefox-esr45 --- fixed
firefox51 --- fixed

People

(Reporter: franziskus, Assigned: franziskus)

References

Details

(Whiteboard: [necko-active])

Attachments

(1 file, 3 obsolete files)

curve-ff.patch
1.46 KB, patch
mt
: review+
ritu
: approval-mozilla-esr45+
Details | Diff | Splinter Review
Attached patch curve-ff.patch (obsolete) — Splinter Review
H2 checks the ECDHE curve size in Http2Session::ConfirmTLSProfile. When enabling curve25519 this has to lowered to 255 bits. Note that this curve offers 128 bit security as well. (Using keybits for checking the security isn't ideal anyway, but the best we can do at the moment.)
Attachment #8775508 - Flags: review?(mcmanus)
Attached patch curve-ff.patch (obsolete) — Splinter Review
the comment should be updated as well ...
Attachment #8775508 - Attachment is obsolete: true
Attachment #8775508 - Flags: review?(mcmanus)
Attachment #8775513 - Flags: review?(mcmanus)
Whiteboard: [necko-active]
You should probably update the logging below the if, too :)
Attached patch curve-ff.patch (obsolete) — Splinter Review
> You should probably update the logging below the if, too :)
Attachment #8775513 - Attachment is obsolete: true
Attachment #8775513 - Flags: review?(mcmanus)
Attachment #8775588 - Flags: review?(mcmanus)
Comment on attachment 8775588 [details] [diff] [review] curve-ff.patch Review of attachment 8775588 [details] [diff] [review]: ----------------------------------------------------------------- thats not a detail I can confirm - but I know who can :)
Attachment #8775588 - Flags: review?(mcmanus) → review?(martin.thomson)
Comment on attachment 8775588 [details] [diff] [review] curve-ff.patch Review of attachment 8775588 [details] [diff] [review]: ----------------------------------------------------------------- This is fine. However, if we go with 4Q I understand that this is further reduced, which would fail again. RFC 7540 sets the limit to 224 bits, which seems like a limit we could get behind.
Attachment #8775588 - Flags: review?(martin.thomson) → review+
Attached patch curve-ff.patchSplinter Review
ok, then let's use 224
Attachment #8775588 - Attachment is obsolete: true
Attachment #8778661 - Flags: review?(martin.thomson)
Attachment #8778661 - Flags: review?(martin.thomson) → review+
https://hg.mozilla.org/mozilla-central/rev/361ac226da2a
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox51: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Comment on attachment 8778661 [details] [diff] [review] curve-ff.patch Franziskus, are there (runtime) risks associated with backporting the patch to older Firefox releases? [Approval Request Comment] ESR consideration: Help downstream ubnundle NSS in case some secfixes don't or cannot trickle in ESR45 or its consumers or they have a lot of patches for Tier3 support. User impact if declined: Broken HTTP/2 for --with-system-nss + NSS 3.28 builds Fix Landed on Version: Firefox 51 Risk to taking this patch (and alternatives if risky): None build-wise and *probably* not for old bundled NSS, to be confirmed by :fkiefer String or UUID changes made by this patch: None
Flags: needinfo?(franziskuskiefer)
Attachment #8778661 - Flags: approval-mozilla-esr45?
There are no risks in uplifting this. The patch only allows smaller curves to be used in H2. By default NSS only provides one curve (25519) that is smaller. Because this is the default curve since NSS 3.28 we should uplift this fix to all branches to unbreak H2 with system NSS.
Flags: needinfo?(franziskuskiefer)
Comment on attachment 8778661 [details] [diff] [review] curve-ff.patch It makes sense to take this in ESR45 (got a second opinion from Al/Dan), ESR45.7+
Attachment #8778661 - Flags: approval-mozilla-esr45? → approval-mozilla-esr45+
mt, does this also close bug 1224948 ?
Flags: needinfo?(martin.thomson)
No, this only affects ECDHE.
Flags: needinfo?(martin.thomson)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: