Closed
Bug 1789410
Opened 2 years ago
Closed 1 year ago
ECH client - Connection with valid ECHConfig but server negotiating TLS 1.2 does not throw ech_required.
Categories
(NSS :: Libraries, defect, P1)
Tracking
(firefox-esr102 unaffected, firefox110 disabled, firefox111 fixed)
RESOLVED
FIXED
3.88
Tracking | Status | |
---|---|---|
firefox-esr102 | --- | unaffected |
firefox110 | --- | disabled |
firefox111 | --- | fixed |
People
(Reporter: lschwarz, Assigned: djackson)
References
(Blocks 1 open bug)
Details
(Keywords: sec-low, Whiteboard: [adv-main111-][post-critsmash-triage])
Attachments
(1 file, 1 obsolete file)
nightly-only
Security Sensitive Crypto Bug
If the NSS ECH client is setup with valid ECHConfigs for a server, but on connection the server negotiates TLS 1.2 this does NOT result in an ech_required alert but in a successful TLS 1.2 connection without the server securely disabling ECH.
This should lead to termination of the connection with ech_required alert.
The behavior was detected using the BoringSSL test runner (bogo) "TLS-ECH-Client-Reject-TLS12" test.
Reporter | ||
Comment 1•2 years ago
|
||
Reporter | ||
Comment 2•2 years ago
|
||
Updated•2 years ago
|
Attachment #9294581 -
Attachment is obsolete: true
Comment 3•2 years ago
|
||
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:lschwarz, could you have a look please?
If you still have some work to do, you can add an action "Plan Changes" in Phabricator.
For more information, please visit auto_nag documentation.
Flags: needinfo?(lschwarz)
Flags: needinfo?(djackson)
Assignee | ||
Updated•2 years ago
|
Flags: needinfo?(lschwarz)
Flags: needinfo?(djackson)
Assignee | ||
Updated•1 year ago
|
Assignee: lschwarz → djackson
Assignee | ||
Comment 4•1 year ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Updated•1 year ago
|
Group: crypto-core-security → core-security-release
status-firefox111:
--- → fixed
Target Milestone: --- → 3.88
Updated•1 year ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Updated•1 year ago
|
Whiteboard: [post-critsmash-triage] → [adv-main111+][post-critsmash-triage]
Updated•1 year ago
|
status-firefox110:
--- → disabled
status-firefox-esr102:
--- → unaffected
Whiteboard: [adv-main111+][post-critsmash-triage] → [adv-main111-][post-critsmash-triage]
Updated•6 months ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•