Closed Bug 220240 Opened 21 years ago Closed 21 years ago

fails to connect to web that has no certificate

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: erno, Assigned: darin.moz)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6a) Gecko/20030924 Firebird/0.7+
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6a) Gecko/20030924 Firebird/0.7+

ssl in anonymous diffie-hellman mode does not work. this is useful if you only
want to care about active attacks and has the advantage of not requiring any
certificates.

Reproducible: Always

Steps to Reproduce:
1.try to browse to https://erno.iki.fi/
2.see dialog  

Actual Results:  
Firebird said "The connection was refused when attempting to contact erno.iki.fi"


Expected Results:  
Displayed the web page.
Moving to Browser since Mozilla 1.5 RC1 shows the same behavior.

I would question whether this is a Mozilla bug though, since I also cannot
connect using Opera 7.2 and IE6.
Assignee: blake → darin
Component: General → Networking: HTTP
Product: Firebird → Browser
QA Contact: httpqa
Version: unspecified → Trunk
IE5 also doesn't work -> invalid
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
v.
Status: RESOLVED → VERIFIED
-> PSM

REOPEN: searching google shows that "anonymous diffie-hellman" seems to be a
legitimate technical concept in SSL implementations.

I have not seen sufficient analysis (a URL to a browser design document would
have been needed) saying that we should or should not support this.

Instead, I'm sending this to PSM, where it belongs.
Status: VERIFIED → UNCONFIRMED
Component: Networking: HTTP → Client Library
Product: Browser → PSM
QA Contact: httpqa → nobody
Resolution: INVALID → ---
Version: Trunk → 1.01
correction to orignal report: s/active/passive/ of course (sigh).

We decided 7 years ago not to implement the DHE anonymous suites.  
It's totally inappropriate for the typical https user who wants to buy
something online (or talk to his bank or whatever).  
The RFC says that DHE_anonymous is appropriate ONLY when authentication 
is accomplished by other means (e.g. Kerberos).
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago21 years ago
Resolution: --- → WONTFIX
Product: PSM → Core
Version: psm1.01 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.