Strictly prohibit renegotiation to change version

RESOLVED FIXED in Future

Status

P2
normal
RESOLVED FIXED
11 months ago
11 months ago

People

(Reporter: mt, Assigned: mt)

Tracking

trunk
Future

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

11 months ago
We currently don't allow renegotiation to change versions.  But the protection isn't complete, and there are still residues of the code that allowed it.  For instance, we check the pwSpec version rather than ss->version in a few places.

I've some code that clamps down much harder on this.  There are a few more checks and tests.  I've also removed the code that looks at the pending cipher spec.  That will help with another planned change.
(Assignee)

Updated

11 months ago
Assignee: nobody → martin.thomson
See Also: → bug 1294697

Updated

11 months ago
Attachment #8906424 - Flags: review+
Priority: -- → P2
(Assignee)

Comment 1

11 months ago
https://hg.mozilla.org/projects/nss/rev/7b73101f31b7d8f89061df28034f5942464bebae
Status: NEW → RESOLVED
Last Resolved: 11 months ago
Resolution: --- → FIXED
Target Milestone: --- → Future
You need to log in before you can comment on or make changes to this bug.