Any time that PSM calls PK11_LogoutAll, it should also call SSL_ClearSessionCache. This helps ensure that no authenticated SSL sessions are reused after the Logout. Also, any time that the user changes the set of enable SSL2/ssl3/TLS versions, or changes the set of ciphersuites permitted for any of those versions, PSM should call SSL_ClearSessionCache after making the change. This ensures that ALL SSL sessions used after the change follow the newly established preferences.
Mass reassign ssaux bugs to nobody
Assignee: ssaux → nobody
*** Bug 285440 has been marked as a duplicate of this bug. ***
Created attachment 190538 [details] [diff] [review] fix first part (call SSL_ClearSessionCache after PK11_LogoutAll)
Assignee: nobody → mconnor
Status: NEW → ASSIGNED
Attachment #190538 - Flags: review?(dveditz)
This needs to block 1.8b4 if bug 285440 does.
Comment on attachment 190538 [details] [diff] [review] fix first part (call SSL_ClearSessionCache after PK11_LogoutAll) sr=dveditz Let's get nelson's r= on this.
Comment on attachment 190538 [details] [diff] [review] fix first part (call SSL_ClearSessionCache after PK11_LogoutAll) Yes, looks right to me. r=nelson.bolyard I also checked that SSL_ClearSessionCache will not crash even if NSS has not yet been initialized.
Attachment #190538 - Flags: review?(nelson) → review+
Attachment #190538 - Flags: approval1.8b4? → approval1.8b4+
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
Many thanks to Mike and Dan and Benjamin.
should a new bug be filed on the second part of comment 0?
dveditz's take was no, if users want to clear existing sessions they have the ability to directly do this themself now. We can take that discussion to a new bug though. We also don't have UI for these now, so we're talking about watching a lot of prefs for changes.
This bug began life as a PSM bug. When the PSM "product" was removed, most PSM bugs got changed to "Core: Security UI", even if they were not UI bugs at all. This is an example. Some mozilla products no longer have UI to change individual cipher suites. But PSM still has code to do so, and that code is deficient in that it fails to clear the SSL session cache after such changes. I will open another PSM bug (not UI bug) about that.
Note that FF and Tbird DO still have UI to change the versions of SSL that are enabled. When those are changed, the changes do not take immediate effect because the cache is not cleared. I filed bug 302803 about that.
You need to log in before you can comment on or make changes to this bug.