Closed
Bug 220240
Opened 21 years ago
Closed 21 years ago
fails to connect to web that has no certificate
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: erno, Assigned: darin.moz)
References
()
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6a) Gecko/20030924 Firebird/0.7+ Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6a) Gecko/20030924 Firebird/0.7+ ssl in anonymous diffie-hellman mode does not work. this is useful if you only want to care about active attacks and has the advantage of not requiring any certificates. Reproducible: Always Steps to Reproduce: 1.try to browse to https://erno.iki.fi/ 2.see dialog Actual Results: Firebird said "The connection was refused when attempting to contact erno.iki.fi" Expected Results: Displayed the web page.
Comment 1•21 years ago
|
||
Moving to Browser since Mozilla 1.5 RC1 shows the same behavior. I would question whether this is a Mozilla bug though, since I also cannot connect using Opera 7.2 and IE6.
Assignee: blake → darin
Component: General → Networking: HTTP
Product: Firebird → Browser
QA Contact: httpqa
Version: unspecified → Trunk
Comment 2•21 years ago
|
||
IE5 also doesn't work -> invalid
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
-> PSM REOPEN: searching google shows that "anonymous diffie-hellman" seems to be a legitimate technical concept in SSL implementations. I have not seen sufficient analysis (a URL to a browser design document would have been needed) saying that we should or should not support this. Instead, I'm sending this to PSM, where it belongs.
Status: VERIFIED → UNCONFIRMED
Component: Networking: HTTP → Client Library
Product: Browser → PSM
QA Contact: httpqa → nobody
Resolution: INVALID → ---
Version: Trunk → 1.01
Reporter | ||
Comment 5•21 years ago
|
||
correction to orignal report: s/active/passive/ of course (sigh).
Comment 6•21 years ago
|
||
We decided 7 years ago not to implement the DHE anonymous suites. It's totally inappropriate for the typical https user who wants to buy something online (or talk to his bank or whatever). The RFC says that DHE_anonymous is appropriate ONLY when authentication is accomplished by other means (e.g. Kerberos).
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago → 21 years ago
Resolution: --- → WONTFIX
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•