missing calls to SSL_ClearSessionCache

RESOLVED FIXED

Status

Core Graveyard
Security: UI
RESOLVED FIXED
15 years ago
2 years ago

People

(Reporter: Nelson Bolyard (seldom reads bugmail), Assigned: mconnor)

Tracking

1.0 Branch
Bug Flags:
blocking1.8b5 +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

Any time that PSM calls PK11_LogoutAll, it should also call SSL_ClearSessionCache.
This helps ensure that no authenticated SSL sessions are reused after the Logout.

Also, any time that the user changes the set of enable SSL2/ssl3/TLS versions,
or changes the set of ciphersuites permitted for any of those versions, PSM 
should call SSL_ClearSessionCache after making the change.  This ensures that
ALL SSL sessions used after the change follow the newly established preferences.

Comment 1

14 years ago
Mass reassign ssaux bugs to nobody
Assignee: ssaux → nobody

Updated

13 years ago
Component: Security: UI → Security: UI
Product: PSM → Core
(Reporter)

Comment 2

13 years ago
*** Bug 285440 has been marked as a duplicate of this bug. ***
Blocks: 285440
(Assignee)

Comment 3

13 years ago
Created attachment 190538 [details] [diff] [review]
fix first part (call SSL_ClearSessionCache after PK11_LogoutAll)
Assignee: nobody → mconnor
Status: NEW → ASSIGNED
Attachment #190538 - Flags: review?(dveditz)
This needs to block 1.8b4 if bug 285440 does.
Flags: blocking1.8b4+
Comment on attachment 190538 [details] [diff] [review]
fix first part (call SSL_ClearSessionCache after PK11_LogoutAll)

sr=dveditz
Let's get nelson's r= on this.
Attachment #190538 - Flags: superreview+
Attachment #190538 - Flags: review?(nelson)
Attachment #190538 - Flags: review?(dveditz)
(Reporter)

Comment 6

13 years ago
Comment on attachment 190538 [details] [diff] [review]
fix first part (call SSL_ClearSessionCache after PK11_LogoutAll)

Yes, looks right to me.  r=nelson.bolyard
I also checked that SSL_ClearSessionCache will not crash 
even if NSS has not yet been initialized.
Attachment #190538 - Flags: review?(nelson) → review+
(Assignee)

Updated

13 years ago
Attachment #190538 - Flags: approval1.8b4?

Updated

13 years ago
Attachment #190538 - Flags: approval1.8b4? → approval1.8b4+
(Assignee)

Updated

13 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
(Reporter)

Comment 7

13 years ago
Many thanks to Mike and Dan and Benjamin.
should a new bug be filed on the second part of comment 0?
(Assignee)

Comment 9

13 years ago
dveditz's take was no, if users want to clear existing sessions they have the
ability to directly do this themself now.  We can take that discussion to a new
bug though.

We also don't have UI for these now, so we're talking about watching a lot of
prefs for changes.
(Reporter)

Comment 10

13 years ago
This bug began life as a PSM bug.  When the PSM "product" was removed,
most PSM bugs got changed to "Core: Security UI", even if they were not 
UI bugs at all.  This is an example.

Some mozilla products no longer have UI to change individual cipher suites.
But PSM still has code to do so, and that code is deficient in that it 
fails to clear the SSL session cache after such changes.  

I will open another PSM bug (not UI bug) about that.  
(Reporter)

Comment 11

13 years ago
Note that FF and Tbird DO still have UI to change the versions of SSL that
are enabled. When those are changed, the changes do not take immediate 
effect because the cache is not cleared.  I filed bug 302803 about that.

Updated

10 years ago
Version: psm2.1 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.