Closed Bug 1592175 Opened 5 years ago Closed 5 years ago

browser_networkIsolation.js breaks when NSS enables TLS 1.3 by default

Categories

(Core :: Privacy: Anti-Tracking, defect)

Product:
Core
Component:
Privacy: Anti-Tracking
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox72 --- fixed

People

(Reporter: kjacobs, Assigned: kjacobs)

Details

Attachments

(1 file)

Bug 1592175 - Enable TLS session tickets in ssltunnel
47 bytes, text/x-phabricator-request
Details | Review

Recently we landed a patch in NSS to enable TLS 1.3 by default: https://hg.mozilla.org/projects/nss/rev/bc77cf318f388f55790b99d5f23a9c1f2bd9f900

When preparing to uplift this as part of D50840, I noticed test failures in browser_networkIsolation.js: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=273385405&repo=try&lineNumber=6529

[task 2019-10-29T01:23:16.816Z] 01:23:16     INFO - TEST-UNEXPECTED-FAIL | toolkit/components/antitracking/test/browser/browser_networkIsolation.js | The third load SHOULD have been resumed - 
[task 2019-10-29T01:23:16.816Z] 01:23:16     INFO - Stack trace:
[task 2019-10-29T01:23:16.816Z] 01:23:16     INFO - chrome://mochikit/content/browser-test.js:test_ok:1297
[task 2019-10-29T01:23:16.816Z] 01:23:16     INFO - chrome://mochitests/content/browser/toolkit/components/antitracking/test/browser/browser_networkIsolation.js:null:148
[task 2019-10-29T01:23:16.816Z] 01:23:16     INFO - promise callback*chrome://mochitests/content/browser/toolkit/components/antitracking/test/browser/browser_networkIsolation.js:null:138
[task 2019-10-29T01:23:16.816Z] 01:23:16     INFO - chrome://mochikit/content/browser-test.js:Tester_execTest/<:1067
[task 2019-10-29T01:23:16.816Z] 01:23:16     INFO - chrome://mochikit/content/browser-test.js:Tester_execTest:1102
[task 2019-10-29T01:23:16.816Z] 01:23:16     INFO - chrome://mochikit/content/browser-test.js:nextTest/<:930
[task 2019-10-29T01:23:16.816Z] 01:23:16     INFO - chrome://mochikit/content/tests/SimpleTest/SimpleTest.js:SimpleTest.waitForFocus/waitForFocusInner/focusedOrLoaded/<:805

I confirmed local failures with this updated default.

This test should handle the updated default (whether by not running, or running an updated version of itself). This may be a test server bug, but I haven't investigated that yet.

So, ssltunnel doesn't enable session tickets, which are disabled in NSS by default. I have a try run going to see if updating ssltunnel will require updated hostutils for Android.

@mt, do you think we should enable session tickets by default at the same time as TLS 1.3? Other applications might trip over this.

Flags: needinfo?(mt)

Nice catch. I wouldn't have thought that we had resumption on, but not tickets (I'm too used to TLS 1.3, where there are only tickets).

I don't think that we can turn tickets on by default. They require too much additional configuration to get right.

Right now, that means providing a certificate with an RSA key, even if that isn't the intended key. When we get around to encrypting tickets with either a symmetric key (as we've long hoped to do) or HPKE then we still probably need to keep it off by default.

Flags: needinfo?(mt)

This patch updates ssltunnel to enable TLS session tickets. With the NSS change to update the TLS version default to 1.3 (where it was 1.2 prior), this is necessary to support resumption.

Assignee: nobody → kjacobs.bugzilla
Status: NEW → ASSIGNED
Pushed by rmaries@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/758bd595eeff
Enable TLS session tickets in ssltunnel r=keeler

https://hg.mozilla.org/mozilla-central/rev/758bd595eeff

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox72: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: