Closed Bug 184940 Opened 22 years ago Closed 22 years ago

Enable additional SSL ciphers, add configuration UI

Categories

(Core Graveyard :: Security: UI, enhancement)

Product:
Core Graveyard
Component:
Security: UI
Version:
Other Branch
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
psm2.4

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

Attachments

(5 files, 3 obsolete files)

Screenshot 1/4
36.29 KB, image/jpeg
Details
Screenshot 2/4
50.16 KB, image/jpeg
Details
Screenshot 3/4
58.01 KB, image/jpeg
Details
Screenshot 4/4
16.63 KB, image/jpeg
Details
Patch v2
72.23 KB, patch
KaiE
: review+
KaiE
: superreview+
Details | Diff | Splinter Review
The intention of this bug is to: - make Mozilla's SSL code use additional ciphers available in NSS - provide an appropriate UI to control which ciphers are enabled - enable additional new ciphers by default The dialog shown "Edit/Preferences/Privacy/SSL/Edit Ciphers" should get changed appropriately. (This bug was originally filed as bug 102633, and some historical information can be found there. However, because we are now using a different strategy for implementation, and given the fact the other bug is already long and complex, I've decided to use a fresh bug.)
*** Bug 102633 has been marked as a duplicate of this bug. ***
Target Milestone: --- → 2.4
Instead of the complex UI using scrolling checkboxes attempted in bug 102633, we would like to use a simple UI that avoid scrolling, but distributes the checkboxes on three panes in a tabbed dialog. The wording for the checkboxes (including for the new ciphers) has been cleaned up and optimized by Nelson. Thanks! I'm reusing some code from the the former patches in bug 102633. We provide the new ability to open a small detailed information dialog that provides more information about a cipher in a structured layout. Here is the list of new ciphers and the names of their preference strings, that will be ENABLED BY DEFAULT: security.ssl3.rsa_rc4_128_sha SSL_RSA_WITH_RC4_128_SHA security.ssl3.dhe_rsa_aes_256_sha TLS_DHE_RSA_WITH_AES_256_CBC_SHA security.ssl3.dhe_dss_aes_256_sha TLS_DHE_DSS_WITH_AES_256_CBC_SHA security.ssl3.rsa_aes_256_sha TLS_RSA_WITH_AES_256_CBC_SHA security.ssl3.dhe_rsa_aes_128_sha TLS_DHE_RSA_WITH_AES_128_CBC_SHA security.ssl3.dhe_dss_aes_128_sha TLS_DHE_DSS_WITH_AES_128_CBC_SHA security.ssl3.rsa_aes_128_sha TLS_RSA_WITH_AES_128_CBC_SHA security.ssl3.dhe_rsa_des_ede3_sha SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA security.ssl3.dhe_dss_des_ede3_sha SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA security.ssl3.dhe_rsa_des_sha SSL_DHE_RSA_WITH_DES_CBC_SHA security.ssl3.dhe_dss_des_sha SSL_DHE_DSS_WITH_DES_CBC_SHA For completenes, here is one new cipher that will be supported, but will be DISABLED by default: security.ssl3.rsa_null_sha SSL_RSA_WITH_NULL_SHA
Attached patch Patch v1 (obsolete) — Splinter Review
Attached image Screenshot 1/4
Attached image Screenshot 2/4
Attached image Screenshot 3/4
Comment on attachment 109069 [details] Screenshot 1/4 Marking obsolete, wrong content-type used...
Attachment #109069 - Attachment is obsolete: true
Attachment #109070 - Attachment is obsolete: true
Attached image Screenshot 4/4
Attached image Screenshot 1/4 (obsolete) —
Attached image Screenshot 2/4 (obsolete) —
Comment on attachment 109067 [details] [diff] [review] Patch v1 Javi, can you please review?
Attachment #109067 - Flags: review?(javi)
*** Bug 144510 has been marked as a duplicate of this bug. ***
*** Bug 85788 has been marked as a duplicate of this bug. ***
Attachment #109069 - Attachment is obsolete: false
Attachment #109069 - Attachment is patch: false
Attachment #109069 - Attachment mime type: text/plain → image/jpeg
Attachment #109070 - Attachment is obsolete: false
Attachment #109070 - Attachment is patch: false
Attachment #109070 - Attachment mime type: text/plain → image/jpeg
Attachment #109074 - Attachment is obsolete: true
Attachment #109075 - Attachment is obsolete: true
Comment on attachment 109067 [details] [diff] [review] Patch v1 r=javi
Attachment #109067 - Flags: review?(javi) → review+
Comment on attachment 109067 [details] [diff] [review] Patch v1 Jag, can you please review?
Attachment #109067 - Flags: superreview?(jaggernaut)
Kai, Do you have a binary for Win2K you want me to test?
I have uploaded a win32 test build to: http://www.kuix.de/mozilla/mozilla-win32-184940.zip Just unzip and run bin/mozilla.exe md5sum: f407e14b4faf0222efcd1db2bf6209a8 *mozilla-win32-184940.zip
Sean looked at the screenshots, and asks, whether we should change "Ciphersuites" into "Cipher Suites". Nelson, do you have a preference? Sean suggests, we could leave the current wording "Ciphersuites" if it appears to be more common.
I used the term "ciphersuites" (no space) because that is the term defined in the SSL3 and TLS specifications. However, for localization purposes, I'm sure it will be less confusing if it's separated into two words.
The TLS RFC uses both "cipher suite" and "CipherSuite" (note the capitalization). I think the latter is the name of a type in the formal protocol specification. In plain English prose I think it is better to use the former.
Thanks for your comments. After the superreview, I will change it to "cipher suite".
Comment on attachment 109067 [details] [diff] [review] Patch v1 >Index: mozilla/security/manager/pki/resources/content/cipherinfo.js >=================================================================== >+ var info_name; >+ var info_encryption; >+ var info_authAlg; >+ var info_keyAlg; >+ var info_keySize; >+ var info_macAlg; >+ var info_fips; >+ var info_exportable; >+ >+ info_name = document.getElementById("name"); >+ info_encryption = document.getElementById("encryption"); >+ info_authAlg = document.getElementById("authAlg"); >+ info_keyAlg = document.getElementById("keyAlg"); >+ info_keySize = document.getElementById("keySize"); >+ info_macAlg = document.getElementById("macAlg"); >+ info_fips = document.getElementById("fips"); >+ info_exportable = document.getElementById("exportable"); This is a little odd, I'd merge these two blocks. >+ if (typeof(prefValue) == "string") prefValue = (prefValue == "true"); Split this into two lines. >Index: mozilla/security/manager/ssl/src/nsCipherInfo.cpp >=================================================================== >+nsCipherInfoService::nsCipherInfoService() >+{ >+ NS_INIT_ISUPPORTS(); NS_INIT_ISUPPORTS() is no longer needed (see its definition).
Attachment #109067 - Flags: superreview?(jaggernaut) → superreview+
Attached patch Patch v2Splinter Review
New patch with all requests addressed.
Attachment #109067 - Attachment is obsolete: true
Comment on attachment 110829 [details] [diff] [review] Patch v2 carrying forward reviews
Attachment #110829 - Flags: superreview+
Attachment #110829 - Flags: review+
Updating summary to describe better what we are doing.
Summary: PSM should allow the user to enable/disable additional available ciphers → Enable additional SSL ciphers, add configuration UI
Checked in, marking fixed.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Reopening.
Status: RESOLVED → REOPENED
Depends on: 190160
Resolution: FIXED → ---
John, I think something must have gone wrong when you reopened the bug. You reopened without explaining why. I don't understand why you did. You added a dependency to unconfirmed bug 190160, but I don't see any relation. I'm removing the dependency and marking the bug fixed again.
Status: REOPENED → RESOLVED
Closed: 22 years ago22 years ago
No longer depends on: 190160
Resolution: --- → FIXED
Verified. I must not have had my coffee yet and thought I was on a different bug.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: