Closed Bug 1590935 Opened 1 year ago Closed 11 months ago

Offer to re-enable TLS 1.0 on SSL_ERROR_PROTOCOL_VERSION_ALERT

Categories

(Firefox :: Security, defect, P1)

defect

Tracking

()

RESOLVED FIXED
Firefox 72
Tracking Status
firefox70 --- unaffected
firefox71 --- wontfix
firefox72 --- fixed

People

(Reporter: mt, Assigned: mt)

References

Details

Attachments

(1 file)

When disabling TLS 1.0, we (temporarily) offer the option to re-enable it. This UI is currently only triggered by the SSL_ERROR_UNSUPPORTED_VERSION error code. The belief was that this was the only valid error code.

As it happens, a small number of sites generate a protocol_version alert. This is only possible if they recognize the supported_versions extension defined in TLS 1.3. So these servers support TLS 1.3, but disable TLS 1.2 and TLS 1.3. That's odd, and a bad idea, but it does happen.

At least these sites are keeping their TLS stacks up to date, even if the configuration is out of date. An offer to re-enable TLS 1.0 in that case is probably a good idea.

As it turns out, there are some sites that generate this error. It's a small
number, but enough to justify the change.

No new tests because we can't generate this condition in our test setup.

Note that this doesn't affect Beta or Release in any meaningful way because the underlying pref is not set in Beta (yet).

Summary: Offer to re-enable TLS 1.0 on PROTOCOL_VERSION_ERROR → Offer to re-enable TLS 1.0 on SSL_ERROR_PROTOCOL_VERSION_ALERT

(In reply to Martin Thomson [:mt:] from comment #2)

Note that this doesn't affect Beta or Release in any meaningful way because the underlying pref is not set in Beta (yet).

Will it be set via uplift/normandy, though? In that case I think uplift to beta would be painless...

Status: NEW → ASSIGNED
Priority: -- → P1
Pushed by mthomson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/54ca07441fde
Offer to re-enable TLS 1.0 on SSL_ERROR_PROTOCOL_VERSION_ALERT, r=johannh

Backed out for failures on browser_aboutNetError.js

backout: https://hg.mozilla.org/integration/autoland/rev/4540a5373bb817c8d256b224016677dddd60546c

push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=54ca07441fded359a05aae6c22d9077e45303029&searchStr=browser-chrome&group_state=expanded&selectedJob=272890094

failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=272890094&repo=autoland&lineNumber=1176

[task 2019-10-25T02:09:35.804Z] 02:09:35 INFO - TEST-START | browser/base/content/test/about/browser_aboutNetError.js
[task 2019-10-25T02:09:36.135Z] 02:09:36 INFO - TEST-INFO | started process screencapture
[task 2019-10-25T02:09:36.249Z] 02:09:36 INFO - TEST-INFO | screencapture: exit 0
[task 2019-10-25T02:09:36.249Z] 02:09:36 INFO - Buffered messages logged at 02:09:35
[task 2019-10-25T02:09:36.249Z] 02:09:36 INFO - Entering test bound resetToDefaultConfig
[task 2019-10-25T02:09:36.249Z] 02:09:36 INFO - Change TLS config to cause page load to fail, check that reset button is shown and that it works
[task 2019-10-25T02:09:36.249Z] 02:09:36 INFO - Buffered messages logged at 02:09:36
[task 2019-10-25T02:09:36.250Z] 02:09:36 INFO - Loading and waiting for the net error
[task 2019-10-25T02:09:36.250Z] 02:09:36 INFO - TEST-PASS | browser/base/content/test/about/browser_aboutNetError.js | Should be showing error page - true == true -
[task 2019-10-25T02:09:36.250Z] 02:09:36 INFO - Buffered messages finished
[task 2019-10-25T02:09:36.250Z] 02:09:36 INFO - TEST-UNEXPECTED-FAIL | browser/base/content/test/about/browser_aboutNetError.js | prefResetButton should be visible - false == true -
[task 2019-10-25T02:09:36.250Z] 02:09:36 INFO - Stack trace:
[task 2019-10-25T02:09:36.250Z] 02:09:36 INFO - resource://testing-common/content-task.js line 110 > eval:null:11
[task 2019-10-25T02:09:36.250Z] 02:09:36 INFO - resource://testing-common/content-task.js:null:111
[task 2019-10-25T02:09:36.250Z] 02:09:36 INFO - Not taking screenshot here: see the one that was previously logged
[task 2019-10-25T02:09:36.250Z] 02:09:36 INFO - TEST-UNEXPECTED-FAIL | browser/base/content/test/about/browser_aboutNetError.js | prefResetButton has autofocus - null == "true" -
[task 2019-10-25T02:09:36.250Z] 02:09:36 INFO - Stack trace:
[task 2019-10-25T02:09:36.250Z] 02:09:36 INFO - resource://testing-common/content-task.js line 110 > eval:null:15
[task 2019-10-25T02:09:36.250Z] 02:09:36 INFO - resource://testing-common/content-task.js:null:111
[task 2019-10-25T02:09:36.251Z] 02:09:36 INFO - Waiting for the TLS 1.2 page to load after the click
[task 2019-10-25T02:09:42.261Z] 02:09:42 INFO - GECKO(1707) | 2019-10-25 02:09:42.234 firefox[1707:10329] Persistent UI failed to open file file:///Users/cltbld/Library/Saved%20Application%20State/org.mozilla.nightly.savedState/window_1.data: No such file or directory (2)
[task 2019-10-25T02:10:20.970Z] 02:10:20 INFO - Not taking screenshot here: see the one that was previously logged
[task 2019-10-25T02:10:20.970Z] 02:10:20 INFO - TEST-UNEXPECTED-FAIL | browser/base/content/test/about/browser_aboutNetError.js | Test timed out -
[task 2019-10-25T02:10:20.970Z] 02:10:20 INFO - GECKO(1707) | MEMORY STAT | vsize 7633MB | residentFast 327MB | heapAllocated 99MB
[task 2019-10-25T02:10:20.970Z] 02:10:20 INFO - TEST-OK | browser/base/content/test/about/browser_aboutNetError.js | took 45168ms
[task 2019-10-25T02:10:20.970Z] 02:10:20 INFO - Not taking screenshot here: see the one that was previously logged
[task 2019-10-25T02:10:20.971Z] 02:10:20 INFO - TEST-UNEXPECTED-FAIL | browser/base/content/test/about/browser_aboutNetError.js | Found a tab after previous test timed out: https://tls12.example.com/ -

Flags: needinfo?(mt)

Well, that was a big mistake on my part. Those tests needed a complete rewrite for this change. I have a fix, but it will need a second pair of eyes.

Flags: needinfo?(mt)
Pushed by mthomson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4fe43f4966b2
Offer to re-enable TLS 1.0 on SSL_ERROR_PROTOCOL_VERSION_ALERT, r=nhnt11
Status: ASSIGNED → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 72
You need to log in before you can comment on or make changes to this bug.