Closed Bug 1617275 Opened 5 years ago Closed 5 years ago

TLS override page should not be displayed if the tls min version is locked to 1.2

Categories

(Firefox :: Security, defect, P1)

Product:
Firefox
Component:
Security
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Firefox 75
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox73 --- unaffected
firefox74 + verified
firefox75 --- verified

People

(Reporter: mkaply, Assigned: mkaply)

References

Details

Attachments

(1 file)

Bug 1617275 - Don't allow TLS downgrade if TLS min pref is locked. r?mt
47 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review

Enterprise policy allows the min version of TLS to be locked to 1.2 (or 1.1).

If it is locked to a particular version, we should not be showing the deprecation page to allow someone to go below that version.

Alternatively, I could just disable the UI if the pref is locked (assuming the pref is going to stay around)

Assignee: nobody → mozilla
Status: NEW → ASSIGNED

I'm not sure what you meant by:

disable the override UX, not just for this but for resetting TLS prefs as well,

This patch is only for disabling the override UX on about:neterror.

Pushed by mozilla@kaply.com: https://hg.mozilla.org/integration/autoland/rev/12abf6cbd12d Don't allow TLS downgrade if TLS min pref is locked. r=mt

[Tracking Requested - why for this release]: [Tracking Requested - why for this release]: Needed for enterprises. If an organization has forced TLS 1.2, they shouldn't be allowed to switch to 1.1 or 1.0

tracking-firefox74: --- → ?

https://hg.mozilla.org/mozilla-central/rev/12abf6cbd12d

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox75: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 75

Marling 74 as affected since there is a tracking request for this version. Mike, are you going to request an uplift to beta?

status-firefox74: --- → affected
tracking-firefox74: ?+
Flags: needinfo?(mozilla)

Comment on attachment 9128255 [details]
Bug 1617275 - Don't allow TLS downgrade if TLS min pref is locked. r?mt

Beta/Release Uplift Approval Request

  • User impact if declined: Users can override min version of TLS
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: Set policy for SSLVersionMin to tls1.2
    Visit https://tls-v1-1.badssl.com:1011/
    Verify you are not given an option to downgrade.
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Only happens if pref is locked (policy)
  • String changes made/needed:
Flags: needinfo?(mozilla)
Attachment #9128255 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Comment on attachment 9128255 [details]
Bug 1617275 - Don't allow TLS downgrade if TLS min pref is locked. r?mt

P1 and a change we have in out release notes for 74, uplift approved for 74.0b8, thanks.

Attachment #9128255 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [qa-triaged]

Can you please explain how I can "Set policy for SSLVersionMin to tls1.2"?
If I only need to set the value of the "security.tls.version.min" pref to 2, then the fix seems inconclusive because I cannot see a difference of reproduction between Nightly v75.0a1 from 23-02-2020 and Nightly v75.0a1 from 26.02.2020 on Windows 10.

My steps:

  1. Open browser
  2. go to about:config
  3. modify the value of the "security.tls.version.min" pref from 3 to 2
  4. open the https://tls-v1-1.badssl.com:1011/ page
    Notice: both the affected and unaffected builds showed a large white text "tls-v1-1.badssl.com" on a red background.

Please fix my steps to reproduce.

Flags: needinfo?(mozilla)

(In reply to Bodea Daniel [:danibodea] from comment #12)

  1. modify the value of the "security.tls.version.min" pref from 3 to 2

Are you saying the fix works for you with value 3 (TLS 1.2), but not with value 2 (TLS 1.1)?

The fix has added condition !RPMPrefIsLocked("security.tls.version.min") to browser/base/content/aboutNetError.js:288.

AFAIK this condition is not related to setting pref("security.tls.version.min", 3); on about:config, but to locking the feature on enterprise environments using AutoConfig lockPref("security.tls.version.min", 3);. Note that it doesn't test the value of the setting, just whether it's locked or not.

You have to lock the value using policy.

Create a directory called distribution where Firefox is installed.
Create a file called policies.json:

{
"policies": {
"SSLVersionMin": "tls1.2"
}
}

After doing this, if you look in about:config, the pref should be locked (in italics)

Flags: needinfo?(mozilla)

I have reproduced this issue in Nightly v75.0a1 from 2020-02-22 and Beta v74.0b7; verified the fix on Nightly v75.0a1 from 2020-02-27 and Beta v74.0b9.The affected builds will show the "Enable TLS 1.0 and 1.1" button displayed and the fixed builds will show the "Try Again" button.

The steps to reproduce/verify are actually:

  1. Lock the SSLVersion:
    a. Create a directory called distribution where Firefox is installed.
    b. Create a file called policies.json:

    {
    "policies": {
    "SSLVersionMin": "tls1.2"
    }
    }

  2. Open browser.

  3. open the https://tls-v1-1.badssl.com:1011/ page
    Actual: You are given an option to downgrade: shows "Enable TLS 1.0 and 1.1" button.
    Expected: You are not given an option to downgrade: shows "Try Again" button.

Status: RESOLVED → VERIFIED
status-firefox74: fixedverified
status-firefox75: fixedverified
Flags: qe-verify+
Blocks: 1745678
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: