Deprecate and remove: TLS CBC-mode ECDSA cipher suites

RESOLVED FIXED in Firefox 53

Status

()

Core
Security: PSM
P3
major
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: u570621, Assigned: emk)

Tracking

(Blocks: 1 bug, {dev-doc-needed, site-compat})

Trunk
mozilla53
dev-doc-needed, site-compat
Points:
---

Firefox Tracking Flags

(firefox53 fixed)

Details

(Whiteboard: [psm-backlog])

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20100101

Steps to reproduce:

Catch up to chrome deprecating old/unused features related to security

https://groups.google.com/a/chromium.org/forum/#!topic/net-dev/EE8XpDJytBs

https://groups.google.com/a/chromium.org/forum/#!topic/net-dev/A-LcSmj5TBE
Assignee: nobody → nobody
Severity: normal → major
Component: Untriaged → Libraries
Product: Firefox → NSS
Version: Trunk → trunk
Summary: Catch up to Chrome security → Deprecate and remove: TLS CBC-mode ECDSA cipher suites & TLS 1.2 ECDSA with SHA-1 and SHA-512 signature algorithms
(Assignee)

Comment 1

2 years ago
The corresponding Chromium issue is not against BoringSSL, so Core/Security:PSM would be more appropriate our component.
Assignee: nobody → nobody
Component: Libraries → Security: PSM
Product: NSS → Core
Version: trunk → Trunk
Priority: -- → P3
Whiteboard: [psm-backlog]
(Reporter)

Comment 2

2 years ago
Google finished the work on removing these. What is the progress on Mozilla's side?
Comment hidden (mozreview-request)

Comment 5

2 years ago
mozreview-review
Comment on attachment 8819518 [details]
Bug 1316300 - Remove ECDSA_CBC cipher suites from TLS 1.3 ClientHello.

https://reviewboard.mozilla.org/r/99254/#review100430

I'm a little unclear on how we would measure the compatibility impact of this. Just by monitoring changes in the SSL_TLS13_INTOLERANCE_REASON_* telemetry histograms?
Attachment #8819518 - Flags: review?(dkeeler)
Also, :mt - thoughts on this?
Flags: needinfo?(martin.thomson)
The only real benefit to removing these is space savings in the ClientHello - the exposure we had to export grade ciphers isn't made worse by supporting these cipher suites.  Key exchange and authentication with ECDHE and ECDSA is arguably stronger than RSA in all our supported cipher suites.  

There is a compatibility risk, though it's probably tiny for the reasons that David points out.

I don't think that we need to rush into fixing these.  That said, I'm OK with landing this in Firefox 53 as long as it rides the trains in the normal fashion.  That gives us a few extra weeks to shake out the problems.

FWIW, we're seeing very little of the CBC suites: https://mzl.la/2hFp7IL  The 128-bit variant is 1M out of 216B samples, 256-bit is even less.  We have no telemetry on signature algorithms.
Flags: needinfo?(martin.thomson)
(Assignee)

Comment 8

2 years ago
Comment on attachment 8819518 [details]
Bug 1316300 - Remove ECDSA_CBC cipher suites from TLS 1.3 ClientHello.

(In reply to David Keeler [:keeler] (use needinfo?) from comment #5)
> I'm a little unclear on how we would measure the compatibility impact of
> this. Just by monitoring changes in the SSL_TLS13_INTOLERANCE_REASON_*
> telemetry histograms?

By monitoring changes in SSL_CIPHER_SUITE_FULL. Currently, we will negotiate ECDSA_CBC cipher suites when the servers prefer them, even if the servers support other cipher suites. By hiding ECDSA_CBC cipher suites behind the fallback, we will negotiate them only when the servers exclusively supports them. Only those servers will break when we remove ECDSA_CBC cipher suites.

Re-requesting review because :mt said it's OK to ride this on the train.
Attachment #8819518 - Flags: review?(dkeeler)

Comment 9

2 years ago
mozreview-review
Comment on attachment 8819518 [details]
Bug 1316300 - Remove ECDSA_CBC cipher suites from TLS 1.3 ClientHello.

https://reviewboard.mozilla.org/r/99254/#review100820

Ok, I see how this will work. Hopefully TLS1.3 intolerance won't confuse the situation. r=me, but yeah, let's not uplift this or anything.
Attachment #8819518 - Flags: review?(dkeeler) → review+

Comment 10

2 years ago
Pushed by VYV03354@nifty.ne.jp:
https://hg.mozilla.org/integration/autoland/rev/0c0edf04c56f
Remove ECDSA_CBC cipher suites from TLS 1.3 ClientHello. r=keeler
(Assignee)

Updated

2 years ago
Assignee: nobody → VYV03354
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Assignee)

Updated

2 years ago
Blocks: 1325257
(Assignee)

Comment 11

2 years ago
I didn't touch the signature algorithm issue. Due to MozReview's poor support for partial landing, it would be better to file a new bug for the remaining issue. Hence I filed it (bug 1325257).
Summary: Deprecate and remove: TLS CBC-mode ECDSA cipher suites & TLS 1.2 ECDSA with SHA-1 and SHA-512 signature algorithms → Deprecate and remove: TLS CBC-mode ECDSA cipher suites

Comment 12

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/0c0edf04c56f
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox53: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Posted the site compatibility note: https://www.fxsitecompat.com/en-CA/docs/2017/tls-cbc-mode-ecdsa-ciphers-have-been-removed/
Keywords: dev-doc-needed, site-compat
You need to log in before you can comment on or make changes to this bug.