browser_networkIsolation.js breaks when NSS enables TLS 1.3 by default
Categories
(Core :: Privacy: Anti-Tracking, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox72 | --- | fixed |
People
(Reporter: kjacobs, Assigned: kjacobs)
Details
Attachments
(1 file)
Recently we landed a patch in NSS to enable TLS 1.3 by default: https://hg.mozilla.org/projects/nss/rev/bc77cf318f388f55790b99d5f23a9c1f2bd9f900
When preparing to uplift this as part of D50840, I noticed test failures in browser_networkIsolation.js
: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=273385405&repo=try&lineNumber=6529
[task 2019-10-29T01:23:16.816Z] 01:23:16 INFO - TEST-UNEXPECTED-FAIL | toolkit/components/antitracking/test/browser/browser_networkIsolation.js | The third load SHOULD have been resumed -
[task 2019-10-29T01:23:16.816Z] 01:23:16 INFO - Stack trace:
[task 2019-10-29T01:23:16.816Z] 01:23:16 INFO - chrome://mochikit/content/browser-test.js:test_ok:1297
[task 2019-10-29T01:23:16.816Z] 01:23:16 INFO - chrome://mochitests/content/browser/toolkit/components/antitracking/test/browser/browser_networkIsolation.js:null:148
[task 2019-10-29T01:23:16.816Z] 01:23:16 INFO - promise callback*chrome://mochitests/content/browser/toolkit/components/antitracking/test/browser/browser_networkIsolation.js:null:138
[task 2019-10-29T01:23:16.816Z] 01:23:16 INFO - chrome://mochikit/content/browser-test.js:Tester_execTest/<:1067
[task 2019-10-29T01:23:16.816Z] 01:23:16 INFO - chrome://mochikit/content/browser-test.js:Tester_execTest:1102
[task 2019-10-29T01:23:16.816Z] 01:23:16 INFO - chrome://mochikit/content/browser-test.js:nextTest/<:930
[task 2019-10-29T01:23:16.816Z] 01:23:16 INFO - chrome://mochikit/content/tests/SimpleTest/SimpleTest.js:SimpleTest.waitForFocus/waitForFocusInner/focusedOrLoaded/<:805
I confirmed local failures with this updated default.
This test should handle the updated default (whether by not running, or running an updated version of itself). This may be a test server bug, but I haven't investigated that yet.
Assignee | ||
Comment 1•5 years ago
|
||
So, ssltunnel doesn't enable session tickets, which are disabled in NSS by default. I have a try run going to see if updating ssltunnel will require updated hostutils for Android.
@mt, do you think we should enable session tickets by default at the same time as TLS 1.3? Other applications might trip over this.
Comment 2•5 years ago
|
||
Nice catch. I wouldn't have thought that we had resumption on, but not tickets (I'm too used to TLS 1.3, where there are only tickets).
I don't think that we can turn tickets on by default. They require too much additional configuration to get right.
Right now, that means providing a certificate with an RSA key, even if that isn't the intended key. When we get around to encrypting tickets with either a symmetric key (as we've long hoped to do) or HPKE then we still probably need to keep it off by default.
Assignee | ||
Comment 3•5 years ago
|
||
This patch updates ssltunnel to enable TLS session tickets. With the NSS change to update the TLS version default to 1.3 (where it was 1.2 prior), this is necessary to support resumption.
Assignee | ||
Updated•5 years ago
|
Pushed by rmaries@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/758bd595eeff Enable TLS session tickets in ssltunnel r=keeler
Comment 5•5 years ago
|
||
bugherder |
Comment 6•5 years ago
|
||
bugherder landing |
Description
•