Closed
Bug 1305561
Opened 8 years ago
Closed 8 years ago
CloudFlare triggers unsafe negotiation warning with TLS 1.3
Categories
(Core :: Security: PSM, defect, P1)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla52
Tracking | Status | |
---|---|---|
firefox52 | --- | fixed |
People
(Reporter: sjw+bugzilla, Assigned: emk)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-assigned])
Attachments
(1 file)
STR: Set the following values in about:config: security.tls.version.max = 4 security.ssl.require_safe_negotiation = true security.ssl.treat_unsafe_negotiation_as_broken = true Browse to a site that is served by CloudFlare and has TLS 1.3 enabled, e.g. https://blog.cloudflare.com/ Expected results: If CloudFlare supports secure renegotiation in TLS 1.3 the warning should not be shown. If CloudFlare does not support secure renegotiation in TLS 1.3 the site should not load at all, because of require_safe_negotiation. Actual results: The lock icon will get a warning triangle and the site info panel says, the site uses weak encryption. But the site loads fine. TLS 1.2 works fine without any warning.
Note: sites that are using mod_nss also work fine for me (e.g. https://tls13.crypto.mozilla.org/)
Assignee | ||
Comment 2•8 years ago
|
||
TLS 1.3 killed renegotiation. We should rather suppress warning if the negotiated TLS version is >=1.3.
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment 5•8 years ago
|
||
mozreview-review |
Comment on attachment 8795242 [details] Bug 1305561 - Do not check renego extension when TLS version is 1.3. https://reviewboard.mozilla.org/r/81366/#review80072 Looks good. Just the one comment. ::: security/manager/ssl/nsNSSCallbacks.cpp:1192 (Diff revision 2) > cipherInfo.symCipher); > } > } > > PRBool siteSupportsSafeRenego; > + if (channelInfo.protocolVersion <= SSL_LIBRARY_VERSION_TLS_1_2) { I think it might be safer to make this `if (channelInfo.protocolVersion != SSL_LIBRARY_VERSION_TLS_1_3) {`
Attachment #8795242 -
Flags: review?(dkeeler) → review+
Comment hidden (mozreview-request) |
Assignee | ||
Comment 7•8 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=ab597e6f1483
Pushed by VYV03354@nifty.ne.jp: https://hg.mozilla.org/integration/autoland/rev/bf025a49293e Do not check renego extension when TLS version is 1.3. r=keeler
Assignee: nobody → VYV03354
Priority: -- → P1
Whiteboard: [psm-assigned]
Comment 9•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/bf025a49293e
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in
before you can comment on or make changes to this bug.
Description
•