Closed
Bug 1340841
Opened 7 years ago
Closed 7 years ago
NSS is treating ticket_lifetime_hint as if it were milliseconds
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
3.29
People
(Reporter: ekr, Assigned: mt)
References
Details
Result of the fix in bug 1322187. This landed in 3.29, so affects FF 53 and FF 54, but not 52.
Reporter | ||
Comment 1•7 years ago
|
||
See: https://hg.mozilla.org/releases/mozilla-aurora/file/tip/security/nss/lib/ssl/sslnonce.c#l465
Reporter | ||
Comment 2•7 years ago
|
||
For clarity. S 4.6.1: ticket_lifetime Indicates the lifetime in seconds as a 32-bit unsigned integer in network byte order from the time of ticket issuance. Servers MUST NOT use any value more than 604800 seconds (7 days). The value of zero indicates that the ticket should be discarded immediately. Clients MUST NOT cache session tickets for longer than 7 days, regardless of the ticket_lifetime, and MAY delete the ticket earlier based on local policy. A server MAY treat a ticket as valid for a shorter period of time than what is stated in the ticket_lifetime. The confusion is that obfuscated_ticket_age is in ms, so when we fixed that, we broke ticket_lifetime, which is in seconds. Assuming I am correct, 3.28 had obfuscated_ticket_age wrong but the right timeout logic and 3.29 has obfuscated_ticket_age right but the wrong timeout logic. I think we can live with 3.28 being wrong about obfuscated_ticket_age, but we do need to fix the cache.
Assignee | ||
Comment 3•7 years ago
|
||
trunk: https://hg.mozilla.org/projects/nss/rev/16f9b6c70772563079ee310ffbab91c5bcf16980 3.29 branch: https://hg.mozilla.org/projects/nss/rev/7fcfb8306880ac0724502cbb2aa8827dc09db08a
Assignee: nobody → martin.thomson
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.29
Version: 3.18 → 3.29
Assignee | ||
Comment 4•7 years ago
|
||
Bounced and landed again: https://hg.mozilla.org/projects/nss/rev/93b99b0936d3926be0ea3f7b69bc81ec46475494 3.29 branch: https://hg.mozilla.org/projects/nss/rev/c01143dead54d12e4418de1bc6939d3a0a4e3a52
You need to log in
before you can comment on or make changes to this bug.
Description
•