Open Bug 1487842 Opened 2 years ago Updated 2 years ago
Remove weak TLS
_DHE _RSA _* ciphers from Firefox for Android
Per https://groups.google.com/d/msg/mozilla.dev.platform/XyQo24IO0oA/h5bfCqShAwAJ, Firefox (Gecko) will drop the ciphers - TLS_DHE_RSA_WITH_AES_128_CBC_SHA - TLS_DHE_RSA_WITH_AES_256_CBC_SHA because they are considered too weak. For historical reasons Firefox for Android will handshake to Firefox Sync servers using these suites: https://searchfox.org/mozilla-central/rev/05d91d3e02a0780f44599371005591d7988e2809/mobile/android/services/src/main/java/org/mozilla/gecko/background/common/GlobalConstants.java#73 After discussion off-list, I confirmed that we should drop those suites from Firefox for Android.
bobm: a) can you confirm these cipher suites aren't required for Sync 1.5? (I'd be shocked if they're in our current AWS configuration, but I've been shocked before.) b) can you confirm that we can also drop some old versions of TLS/SSLv3 from https://searchfox.org/mozilla-central/rev/05d91d3e02a0780f44599371005591d7988e2809/mobile/android/services/src/main/java/org/mozilla/gecko/background/common/GlobalConstants.java#94 c) are you aware of cipher suites requirements coming from SBrowser's use of Firefox Sync? (I'm not sure this is relevant any more.)
(In reply to Nick Alexander :nalexander [he/him] from comment #1) > a) can you confirm these cipher suites aren't required for Sync 1.5? (I'd > be shocked if they're in our current AWS configuration, but I've been > shocked before.) In large sample (2/3 of sync traffic for a month) there are no CBC ciphers present. Which isn't surprising since they aren't in the allowed ciphers list configuration. > b) can you confirm that we can also drop some old versions of TLS/SSLv3 from > > https://searchfox.org/mozilla-central/rev/ > 05d91d3e02a0780f44599371005591d7988e2809/mobile/android/services/src/main/ > java/org/mozilla/gecko/background/common/GlobalConstants.java#94 0.05 percent of Sync traffic uses TLSv1. Most of that is from SBrowser: Firefox AndroidSync 1.@MOZ_APP_VERSION@.0 (Firefox) TLSv1 DHE-RSA-AES256-SHA SSLv3 traffic accounts for .00002% of Sync traffic. > c) are you aware of cipher suites requirements coming from SBrowser's use of > Firefox Sync? (I'm not sure this is relevant any more.) 0.03% Firefox AndroidSync 1.@MOZ_APP_VERSION@.0 (Firefox) TLSv1 DHE-RSA-AES256-SHA 0.000015% Firefox AndroidSync 1.40.0 (SBrowser) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 0.26% Firefox AndroidSync 1.40.0 (SBrowser) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 I'll share you a copy of the collated information I used to answer these questions, in case you'd like to do further investigation.
You need to log in before you can comment on or make changes to this bug.