Closed
Bug 235773
(eccui)
Opened 21 years ago
Closed 18 years ago
TLS ECC cipher suites: PSM backend, SeaMonkey UI
Categories
(Core :: Security: PSM, enhancement, P1)
Tracking
()
RESOLVED
FIXED
mozilla1.8.1
People
(Reporter: sheueling.chang, Assigned: KaiE)
References
()
Details
(Keywords: fixed1.8.1, Whiteboard: [kerh-eha])
Attachments
(5 files, 19 obsolete files)
28.46 KB,
patch
|
rrelyea
:
review+
neil
:
ui-review+
KaiE
:
approval-branch-1.8.1+
|
Details | Diff | Splinter Review |
18.12 KB,
patch
|
rrelyea
:
review+
darin.moz
:
review+
KaiE
:
approval-branch-1.8.1+
|
Details | Diff | Splinter Review |
1.30 KB,
patch
|
wtc
:
review+
darin.moz
:
approval1.8.1+
|
Details | Diff | Splinter Review |
1.80 KB,
patch
|
KaiE
:
review+
|
Details | Diff | Splinter Review |
1.86 KB,
patch
|
iannbugzilla
:
review+
|
Details | Diff | Splinter Review |
User-Agent:
Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.4) Gecko/20031021
Request for Mozilla to be enhanced to support the Internet
Draft for Elliptic Curve Cipher suites in SSL.
The latest Internet-draft is available at:
http://www.ietf.org/internet-drafts/draft-ietf-tls-ecc-05.txt
The underlying Elliptic Curve cryptographic library has already
been checked into NSS3.9 library earlier.
Reproducible: Always
Steps to Reproduce:
1. N/A
2.
3.
Actual Results:
There is no current support for Elliptic Curve.
Expected Results:
N/A
N/A
Reporter | ||
Comment 1•21 years ago
|
||
*** Bug 235774 has been marked as a duplicate of this bug. ***
Reporter | ||
Comment 2•21 years ago
|
||
This patch modifies files in mozilla/security/manager/....
This patch adds ECC cipher suites in Mozilla's cipher suite configuration panel
and adds support for ECC key generation in the KEYGEN tag
to allow the deployment of ECC-based PKI
Comment 3•21 years ago
|
||
I confirm this enhancement request. Thanks for the patch.
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Enhancement Support for Internet-draft draft-ietf-tls-ecc-05 (Elliptic Curve cipher suites for SSL) → Support Elliptic Curve cipher suites for SSL (draft-ietf-tls-ecc-05)
Reporter | ||
Comment 4•21 years ago
|
||
Comment on attachment 142389 [details] [diff] [review]
This patch adds ECC cipher suites in Mozilla's cipher suite configuration panel. It also adds support for ECC key generation in the KEYGEN tag to allow ECC-based PKI deployment.
Hello,
I would like to ask you to review this small patch to enhance Mozilla to
support ECC cipher suites. The bulk of ECC work has been done and we have
already worked with Nelson Bolyard to check in Elliptic Curve crypto into NSS
3.9.
Comment 5•21 years ago
|
||
This patch adds a huge number of OIDs and possible key parameters, I have a hard
time believing half of them would be necessary. I suspect the IETF process will
pare these down a bit an believe we should wait for it to do so.
You should indeed have the pulldown selections for the keygen tag be specific to
the keytype. It's not acceptable to give the RSA keygen users such confusing
choices. I suspect it's not necessary to give ECC keygen users the low-security
choice.
The signature of nssComponent->GetPIPNSSBundleString() has changed, you need to
update your patch.
Do you have a test website one could give this code a spin against?
Updated•21 years ago
|
Attachment #142389 -
Flags: review-
Comment 6•21 years ago
|
||
(In reply to comment #5)
Hi John,
Thank you for reviewing the patch. My comments are below.
> This patch adds a huge number of OIDs and possible key parameters, I have a hard
> time believing half of them would be necessary. I suspect the IETF process will
> pare these down a bit an believe we should wait for it to do so.
Most of the OIDs are for the standard elliptic curves and they've been defined
by bodies other than the IETF (NIST, ANSI and SECG) so I'm not sure if
the IETF would be paring these down. But I understand your concern --
especially in the case of the KEYGEN tag, it doesn't make sense to overwhelm
the enduser with the too many curve names (most users won't know what
to make of them).
> You should indeed have the pulldown selections for the keygen tag be specific to
> the keytype. It's not acceptable to give the RSA keygen users such confusing
> choices. I suspect it's not necessary to give ECC keygen users the low-security
> choice.
Agreed. I'm not too familiar with this part of the Mozilla code. Is there someone
on the Mozilla team we could work with? In particular, a few things aren't quite
clear to me yet:
- How does one insert code for conditional compilation in a xul file (recall that
ECC support in NSS is only enabled when the flag NSS_ENABLE_ECC is set)?
Do XUL files also pass through the C pre-processor? (Actually, this comment
is for the code dealing with cipher suite check boxes in Preferences->
Security and Privacy->SSL)
- How does one create a drop down menu for the KEYGEN tag such that the items
displayed in the menu depend on the parameters passed to the KEYGEN tag?
- What is the right thing to do in terms of user interface for the KEYGEN tag --
If the keytype is ec, should the browser display a fixed set of available curves
or should we add a new keyparams parameter to KEYGEN and only list the
curves that represent the intersection of what's implemented in the underlying
libraries and what's listed in keyparams? Letting the certificate authority (CA)
send out keyparams can help with the following usability issue arising from
the use of EC keys -- while size is the only thing one cares about for RSA
(and even that can be hidden from the user by saying 'low', 'medium', 'high')
there are more variables for EC keys (e.g. which field -- prime or binary polynomial,
what size and what specific curve for a given size). Most end users
would not be in a position to judge which curve is appropriate for their needs
so it makes sense to let the CA specify a small set to choose from and the UI
could hide the actual curve behind an adjective like 'low', 'medium', 'high'.
Perhaps, initially we can restrict ourselves only to a very small number of
NIST standardized prime-field curves.
> The signature of nssComponent->GetPIPNSSBundleString() has changed, you need to
> update your patch.
> Do you have a test website one could give this code a spin against?
We have a test CA set up internally at Sun. I'll set one up on the general Internet
and let you know. I'll also enable ECC cipher suite support so that feature of
Mozilla can also be tested.
vipul
Reporter | ||
Updated•21 years ago
|
Attachment #142389 -
Flags: review- → review?(jgmyers)
Comment 7•21 years ago
|
||
Comment on attachment 142389 [details] [diff] [review]
This patch adds ECC cipher suites in Mozilla's cipher suite configuration panel. It also adds support for ECC key generation in the KEYGEN tag to allow ECC-based PKI deployment.
I'd already minused this. The patch is not, in its current form, ready to be
checked in.
Attachment #142389 -
Flags: review?(jgmyers) → review-
Comment 8•21 years ago
|
||
(In reply to comment #6)
> Agreed. I'm not too familiar with this part of the Mozilla code. Is there someone
> on the Mozilla team we could work with?
There's me, there's Kai (who doesn't have much time to give to Mozilla), and
there's whoever else you can find on the newsgroups, etc. I'll be reviewing the
patch, but for areas outside my expertise the best I can do is point you towards
likely places to find other people.
In particular, a few things aren't quite
> - How does one insert code for conditional compilation in a xul file
You got me there. I suggest asking on netscape.public.mozilla.xpfe or .builds
> - How does one create a drop down menu for the KEYGEN tag such that the items
> displayed in the menu depend on the parameters passed to the KEYGEN tag?
It looks like you have to modify nsKeygenFormProcessor::ProvideContent() to
return a different value based on the context. I suspect you would get at that
context in much the same way that nsKeygenFormProcessor::ProcessValue() does.
(And I certainly wouldn't mind your adding a private method to class
nsKeygenFormProcessor() to permit ProvideContent and ProcessValue to share code.)
> - What is the right thing to do in terms of user interface for the KEYGEN
tag --
> If the keytype is ec, should the browser display a fixed set of
available curves
> or should we add a new keyparams parameter to KEYGEN and only list the
> curves that represent the intersection of what's implemented in the
underlying
> libraries and what's listed in keyparams?
I definitely like the idea of adding a new parameter.
> Perhaps, initially we can restrict ourselves only to a very small number of
> NIST standardized prime-field curves.
I would prefer we restrict ourselves to a small number of standardized curves.
That was what I meant about the IETF paring the list down.
Also, is there a way to query to see if NSS has EC support compiled in? In the
case where an EC-enabled PSM is dynamically linked against a non-EC-enabled NSS,
it should be able to hide the EC-related UI. Actually, I believe there is some
way to get at the list of enabled SSL ciphers, that may be a way to address the
conditional XUL issue.
I'm assigning the bug to you as you're responsible for getting the patch in shape.
Assignee: kaie → sheueling.chang
Comment 9•21 years ago
|
||
John,
My take on this bug is that going forward, we should have NSS ECC-enabled by
default and eliminate the conditional compilations issues (which may or may not
be possible to deal with in XUL anyway). For the Mozilla clients, there is no
good reason not to have ECC in NSS
Comment 10•21 years ago
|
||
Several comments about turning ECC on in mozilla by default.
1. Best to wait until the ECC-TLS drafts become an RFC.
2. IINM, the implementation of ECC/TLS in NSS matches an older draft,
not draft 5 (current draft as of this writing).
Draft 5 includes negotiation of ECC curves in TLS/SSL. The earlier draft,
now implemented in NSS (and IINM in OpenSSL and elsewhere) did not feature
negotiation of ECC curves. This meant that a client and a server that both
supported ECC ciphersuites (but disjoint sets of curves) and also both
supported a common set of non-ECC ciphersuites could (and probably would)
negotiate an ECC ciphersuite and then fail to complete the handshake,
rather than succesfully handshaking with a Non-ECC ciphersuite.
For a browser user, that problem would be highly similar to the "TLS
intolerance" problem, which mozilla now works around by reconnecting and
rehandshaking with TLS disabled after a failed handshake with it enabled.
This is known as "transparent recovery". Before mozilla added that, users
found it necessary to disable TLS to connect to many secure web sites.
I think it's clear that we don't want users having to do that for ECC.
IMO, we also don't want mozilla to make more than 2 attempts to connect
and handshake in order to succesfully conclude one handshake, as it might
if it had to try once with ECC, once with TLS but not ECC, and finally
perhaps a third time with only SSL3 and not ECC.
Internet Draft 5 of ECC/TLS provides ECC curve negotiation which will
solve this problem, but only if/when SSL/TLS handshakes stop using SSL2
compatible client hellos. IOW, SSL2 must die before ECC/TLS becomes
viable (IMO). And curve negotiation is not yet implemented in NSS, IINM.
So, I think we've got a ways further to go before we're ready to enable
ECC/TLS by default. But I do hope we'll get there before too long.
And adding UI to enable/disable ECC/TLS is a good step in the meantime.
Summary: Support Elliptic Curve cipher suites for SSL (draft-ietf-tls-ecc-05) → Add UI for TLS ECC cipher suites (draft-ietf-tls-ecc-05)
Comment 11•21 years ago
|
||
(In reply to comment #10)
> So, I think we've got a ways further to go before we're ready to enable
> ECC/TLS by default. But I do hope we'll get there before too long.
> And adding UI to enable/disable ECC/TLS is a good step in the meantime.
I agree with Nelson that it would be premature to enable the ECC cipher
suites by default -- the IETF specification has not yet been approved as
an RFC.
However, I don't see any problems with exposing the ECC cipher suites
to mozilla users under Preferences->Privacy and Security->SSL->Edit
Ciphers->Extra SSL3/TLS. One of the things we could do is append
"(Experimental)" at the end of the cipher name until the RFC is issued.
This is similar to how OpenSSL does not expose ECC ciphers by default
but makes them accessible by turning on ECCdraft (the draft indicates
that the specification is not yet an RFC).
Furthermore, I'm not sure I see the need to make Bug 235773 dependent
on the addition of curve negotiation for Mozilla. Curve negotiation is
a mechanism for constrained clients that do not implement all of the
curves listed in the spec to avoid the problem described by Nelson.
However, Mozilla does implement all of the listed curves. Section 4
of http://www.ietf.org/internet-drafts/draft-ietf-tls-ecc-05.txt allows
such clients to not send the extension.
What am I missing?
vipul
Comment 12•21 years ago
|
||
(In reply to comment #6)
> We have a test CA set up internally at Sun. I'll set one up on the general Internet
> and let you know. I'll also enable ECC cipher suite support so that feature of
> Mozilla can also be tested.
>
> vipul
There is now an externally accessible Apache webserver that can communicate via both
RSA and ECC cipher suites. The server is available at dev.experimentalstuff.com
(HTTP on port 8081, HTTPS on port 8443).
If you access the URL https://dev.experimentalstuff.com:8443/test.php,
the page you get will tell you what kind of SSL connection was negotiated, e.g.
for a traditional browser, the CIPHER SUITE will be RC4-SHA or something
similar indicating RSA key exch (for RSA, the key exch isn't mentioned
explicitly). If, however, one uses an ECC-enabled version of Mozilla with
ECC ciphers enabled (check the ECC cipher suites in
Preferences->Privacy and Security->SSL->Edit Ciphers
->Extra SSL3/TLS Ciphers) then the page will say:
CIPHER SUITE ECDHE-ECDSA-AES128-SHA
(or similar depending on which ECC ciphers were enabled)
In the next few days, I'll also set up a demo certificate authority
on the same server capable of issuing ECC certificates. This
would allow testing of the new ec keytype in Mozilla's
KEYGEN tag handling code.
Please let me know if you encounter any problems.
vipul
Comment 13•21 years ago
|
||
In response to comment 11, 2 points:
1. I have no problem allowing the existing ECC cipher suites to be exposed
in the UI, so that knowledgable users can turn them on if they want to,
provided that they are all disabled by default. Such users would also be
responsible to turn them off if SSL handshakes began to fail due to ECC
ciphersuites. The whole point of my prior comment had to do with the
*default condition* of the ECC ciphersuites.
2. Today, NSS's implementation may implement all known standardized curves,
but it only takes one new one to make that no longer true. On the day that
that first new(er) ECC curve is rolled out on some popular server, client
that cannot negotiate curves will begin to experience the problem I described.
We know that this whole field of ECC is still in its infancy. So, we cannot
expect that the space of standard curves will not soon grow.
Comment 14•21 years ago
|
||
(In reply to comment #13)
I agree. Looks like we are both saying that:
- it is ok to make the new cipher suites visible in the UI as
long as these ciphers are not turned on by default (the
checkboxes will be unchecked)
- curve negotiation ought to be added to NSS before ECC
cipher suites are turned on by default
Given this, should the dependency of 235773 on 236245
be removed (236245 should still be left as unresolved)?
vipul
Comment 15•21 years ago
|
||
I've filed bug 236507 about enabling ECC by default. That bug depends on
bug 236245, so this one need not.
No longer depends on: 236245
Comment 16•21 years ago
|
||
The patch needs to also be changed to test the keytype like the recently checked
in fix to bug 139473.
Comment 17•21 years ago
|
||
I've updated the previous patch in response to changes made to the
Mozilla source since mozilla-1.4 (the previous patch was for 1.4).
This patch isn't quite ready for checkin. Here are the two outstanding
issues that need to be resolved. I'm placing the patch here simply for
testing purposes (an ECC enabled Apache webserver is now available
at https://dev.experimentalstuff.com:8443/test.php).
- the patch must add ECC cipher suites in the UI only if the
underlying crypto library (NSS) has ECC support turned on
- the drop down menu displayed for the KEYGEN tag needs
to be dependent on the keytype and keyparams attributes
(this will be easy once bug 236684 is resolved)
vipul
Comment 18•21 years ago
|
||
(In reply to comment #12)
> In the next few days, I'll also set up a demo certificate authority
> on the same server capable of issuing ECC certificates. This
> would allow testing of the new ec keytype in Mozilla's
> KEYGEN tag handling code.
I have set up a demo certification authority capable of
issuing Elliptic Curve certificates. To try this out, point
your browser at the following URL and follow directions.
http://dev.experimentalstuff.com:8081/RequestCert.html
Currently there is no provision to send email from this server which
limits the CA's ability to verify the email address of the cert
requester. This CA is only intended for demo/testing.
Please let me know if you encounter any problems.
vipul
Comment 19•21 years ago
|
||
Adds the same functionality as attachment 143528 [details] [diff] [review] (above) but targets
Mozilla-1.6.
Comment 20•21 years ago
|
||
The previous patch did not correctly handle the "low grade" security option in
the KEYGEN tag for ECC keytype. Unlike Mozilla 1.7 which only supports "medium"
and "high" grade security, Mozilla 1.6 still supports "low" grade (512-bit RSA
which corresponds to 112-bit ECC).
Updated•21 years ago
|
Attachment #144686 -
Attachment is obsolete: true
Comment 21•21 years ago
|
||
Attachment 144757 [details] [diff] had a typo in nsNSSComponent.cpp due to which
the ECDH-ECDSA with RC4 and SHA1 cipher suite could not be activated.
This attachment fixes that typo.
Attachment #144757 -
Attachment is obsolete: true
Comment 22•20 years ago
|
||
The firefox source places pref-ssl.dtd and pipnss.properties files
in different directories compared to Mozilla. Otherwise, this patch
is pretty much the same as attachment (id=143528).
Comment 23•19 years ago
|
||
Comment on attachment 163877 [details] [diff] [review]
Patch for Firefox (Aviary 1.0 branch)
i'm currently auditing one of the files related to this patch. this review is
based on my general areas of concern, namely: bad code and failure to check for
failure.
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/util/secit
em.h&rev=1.4&mark=58,63-64#52
58 ** The resulting item is returned; NULL if any error occurs.
63 extern SECItem *SECITEM_AllocItem(PRArenaPool *arena, SECItem *item,
64 unsigned int len);
>Index: mozilla/security/manager/ssl/src/nsKeygenHandler.cpp
>+static SECKEYECParams *
>+decode_ec_params(char *curve)
>+ ecparams = SECITEM_AllocItem(NULL, NULL, (2 + oidData->oid.len));
>+ ecparams->data[0] = SEC_ASN1_OBJECT_ID;
you just crashed. please check for allocation failure.
> nsKeygenFormProcessor::GetPublicKey(nsAString& aValue, nsAString& aChallenge,
> nsAFlatString& aKeyType,
>+ nsAString& aOutPublicKey, nsAString& aKeyParams)
>@@ -406,12 +540,12 @@
> } else if (aKeyType.EqualsIgnoreCase("dsa")) {
> char * end;
>+ keyparamsString = ToNewCString(aKeyParams);
> type = dsaKey;
> keyGenMechanism = CKM_DSA_KEY_PAIR_GEN;
>+ if (strcmp(keyparamsString, "null") == 0)
you just crashed in libc because no one null checked ToNewCString (yes, i know,
you're just changing blame and variable names. i don't care.)
>@@ -424,6 +558,13 @@
> found_match:
> pqgParams = decode_pqg_params(str);
>+#ifdef NSS_ENABLE_ECC
>+ } else if (aKeyType.EqualsIgnoreCase("ec")) {
>+ keyparamsString = ToNewCString(aKeyParams);
i'm guessing this will cause issues if you don't check the allocation for
failure.
>@@ -443,6 +584,47 @@
>+#ifdef NSS_ENABLE_ECC
somewhere in this block you mention pqg but your patch seems to replace most
instances of pqg with keyparams ...
>+ case CKM_EC_KEY_PAIR_GEN:
>+ /* XXX We ought to rethink how the KEYGEN tag is
will there be a bug for this XXX?
>+ /* XXX The signature algorithm ought to choose the hashing
will there be a bug for this XXX?
>+ * algorithm based on key size once ECDSA variations based
>+ * on SHA256 SHA384 and SHA512 are standardized.
is there a thread where someone can follow to find more information about the
process for this standardization?
>Index: mozilla/security/manager/ssl/src/nsNSSCertificate.cpp
>@@ -1074,6 +1075,8 @@
> nsINSSComponent *nssComponent,
> nsIASN1Sequence **retSequence)
> {
>+ SECOidTag algOIDTag = SECOID_FindOIDTag(&algID->algorithm);
>+ SECItem paramsOID = { siBuffer, NULL, 0 };
> nsCOMPtr<nsIASN1Sequence> sequence = new nsNSSASN1Sequence();
> if (sequence == nsnull)
> return NS_ERROR_OUT_OF_MEMORY;
>@@ -1095,8 +1098,16 @@
> printableItem = new nsNSSASN1PrintableItem();
no one null checked this for alloc failure, so you're now responsible for the
crash that follows.
> asn1Objects->AppendElement(printableItem, PR_FALSE);
> nssComponent->GetPIPNSSBundleString("CertDumpParams", text);
>+ printableItem->SetDisplayName(text);
Attachment #163877 -
Flags: review-
Assignee | ||
Updated•19 years ago
|
Whiteboard: [kerh-eha]
Updated•19 years ago
|
Summary: Add UI for TLS ECC cipher suites (draft-ietf-tls-ecc-05) → Add UI for TLS ECC cipher suites
Updated•19 years ago
|
Assignee: sheueling.chang → kengert
Component: Security: S/MIME → Security: PSM
Comment 24•19 years ago
|
||
Update for current tip of tree. Uses latest revisions to NSS in patch bug #236245. All ECC cipher suites are added to about:config; only four cipher suites are added to the Preferences UI in Mozilla. Patch should work on Mozilla and Firefox. Requires tip of NSS as well; see patch in bug #317620. Used to successfully build an ECC-enabled version of Firefox, see http://dev.experimentalstuff.com:8082/binaries
Attachment #142389 -
Attachment is obsolete: true
Attachment #143528 -
Attachment is obsolete: true
Attachment #147067 -
Attachment is obsolete: true
Attachment #163877 -
Attachment is obsolete: true
Updated•19 years ago
|
Assignee | ||
Comment 25•19 years ago
|
||
Attachment #205190 -
Attachment is obsolete: true
Assignee | ||
Comment 26•19 years ago
|
||
The Mozilla suite, and its successor SeaMonkey, show the UI changed by this patch.
However, I can't find UI that allows to control the list of ciphers in Firefox or Thunderbird. It appears the developers of FF and TB did not include this ability in their new preferences sections (probably in their attempt to create a simpler UI).
Comment 27•19 years ago
|
||
(In reply to comment #26)
> The Mozilla suite, and its successor SeaMonkey, show the UI changed by this
> patch.
>
> However, I can't find UI that allows to control the list of ciphers in Firefox
> or Thunderbird. It appears the developers of FF and TB did not include this
> ability in their new preferences sections (probably in their attempt to create
> a simpler UI).
I can't comment about TB, but for FF, the only way I know of to change
cipher specs is to point FF to the URL "about:config", type "ssl" in the
Filter and double click on the cipher (such as security.ssl3.dhe_rsa_des_sha
under the Preference Name column) to toggle its Value (enable/disable it).
Perhaps TB has a similar mechanism.
I hope this helps,
vipul
Assignee | ||
Comment 28•19 years ago
|
||
Yes, TB does offer access to about:config, too, it's accessible from preferences.
I guess we agree that there is no other UI that needs to be adjusted.
However, we might want to enhance the security information shown in "page info", Bob Relyea just suggested to me, we should mention that ECC is in use. But that can be a separate bug.
Comment 29•19 years ago
|
||
I think having an 'enable Suite B' or 'Suite B only' button should be available somewhere reasonable accessible
Comment 30•19 years ago
|
||
(In reply to comment #28)
"Page Info" today does not mention anything about the
asymmetric algorithm (e.g. RSA) used for key exchange.
Instead, it only mentions the symmetric key algorithms
used in SSL bulk encryption as in:
"Connection Encrypted: High-grade Encryption (AES-256 256 bit)"
Currently, the only way to see what key exchange mechanism
was used is to click "View" certificate and then peek
at the Algorithm Identifier within "Subject Public Key"
in the Details panel. Even this method does not
always tell you exactly what key exchange method was
used, e.g. there are ciphers like *_ECDHE_RSA_* or
*_DHE_RSA_* where the public key in the cert is RSA
but the key exchange mechanism is (EC)DHE.
We may wish to consider altering the Page Info content
to mention the complete cipher suite, i.e. mention
the key exchange mechanism in addition to the
bulk encryption algorithms. But then one
has to deal with the issue that some customers
might not understand how 224-bit ECC can be
stronger than 1024-bit RSA (most users have no
clue about key sizes and those that don't
have the full picture tend to think bigger
keys are always better).
vipul
Assignee | ||
Comment 31•19 years ago
|
||
> I think having an 'enable Suite B' or 'Suite B only' button should be available
> somewhere reasonable accessible
If I understand correctly, your proposal applies to Firefox/Thunderbird.
Lacking a mechanism to individually control the enabled ciphers by end user UI, in Firefox and Thunderbird, you are proposing to have at least a button, to disable all non-ECC ciphers.
My understanding is 'Suite B only' means 'disable all non ECC ciphers'.
Is your proposal restricted to SSL?
If your proposal is restricted to SSL, we could lobby for an appropriate checkbox be added to FF/TB prefs, near the existing SSL/TLS protocol checkboxes.
Or do you propose this setting should disable non-ECC S/MIME ciphers, too?
(As of today, we don't have any prefs to control the use of S/MIME ciphers.)
Assignee | ||
Comment 32•19 years ago
|
||
Attachment #208002 -
Attachment is obsolete: true
Assignee | ||
Comment 33•19 years ago
|
||
Comment 34•19 years ago
|
||
(In reply to comment #30)
> "Page Info" today does not mention anything about the
> asymmetric algorithm (e.g. RSA) used for key exchange.
> Instead, it only mentions the symmetric key algorithms
> used in SSL bulk encryption as in:
>
> "Connection Encrypted: High-grade Encryption (AES-256 256 bit)"
I wonder when that changed. It certainly did display info about the
key exchange/transport/agreement algorithm at one time.
There are numerous functions in NSS put there expressly to make it easy for
programs like mozilla display all the components of the current ciphersuite,
AND to display information about the strength of the keys in the certs.
If that's not being used, how sad!
Comment 35•19 years ago
|
||
(In reply to comment #31)
> > I think having an 'enable Suite B' or 'Suite B only' button should be available
> > somewhere reasonable accessible
We need to be careful about this. "Suite B" only includes
a small subset of the total curves supported in NSS and currently
there is no API in NSS to enable/disable specific curves. One can
enable/disable specific ECC cipher suites in TLS (for example)
but there's no knob to choose specific curves.
When NSS supports curve negotiation via TLS extensions
(bug 236245, bug 226271), then we'll need a knob like
this and we could support selection of Suite B curves as
a group.
vipul
Assignee | ||
Comment 36•19 years ago
|
||
I'm proposing to devote this bug 235773 to the UI changes only, as the bug summary already suggests.
I have filed separate bug 326159 for all issues remaining to in-browser-key-generation, be it using the HTML KEYGEN tag (which already appears to be working, but I might post some test results) and the JavaScript function crypto.generateCRMFRequest which is not yet implemented - I'm looking into this now.
Assignee | ||
Updated•19 years ago
|
Alias: eccui
Assignee | ||
Comment 37•19 years ago
|
||
Your patch adds configuration options for 20 new ciphers.
However, you only added 4 of them to the UI.
Why?
Comment 38•19 years ago
|
||
(In reply to comment #37)
> Your patch adds configuration options for 20 new ciphers.
> However, you only added 4 of them to the UI.
> Why?
Hi Kai,
Now might be a good time to revisit this decision. The original
reasoning behind choosing to expose only a few was that we were
using these builds only internally for demos etc (pending standardization)
and didn't want to make the already long list of Extra ciphers unwieldy
especially since no one else was using ECC ciphers.
In later versions of the patches, the actual choice of which ciphers to expose
was influenced (perhaps unduely) by the list of ciphers to be included
in vista. Given that Mozilla foundation's new flagship browser Firefox completely
does away with a GUI for choosing ciphers (using, instead, "about:config"), this
issue didn't get much attention.
I'd love to see some more discussion around this especially from someone
like yourself who is more in tune with the future plans for the
Mozilla suite.
vipul
Assignee | ||
Comment 39•19 years ago
|
||
Hi Vipul, thanks for explaining the history of the UI changes.
I agree that we don't need changes for Firefox/Thunderbird,
as the product owners had decided on their own to remove
the dialog to control the ciphers.
Regarding SeaMonkey (Mozilla Suite), my opinion is,
as long as there is a dialog to control ciphers,
it should display (at least) all the ciphers that
are enabled by default.
Please correct me if I'm wrong, but I believe that
sooner or later we will enable the ciphers you are adding
in the patch by default.
This means a total of 20 new ciphers.
I am proposing to undo the change you proposed to the
"Extra SSL3/TLS" tab, but add all EC ciphers in new
tabs of the dialog.
As it wasn't a lot of work, I quickly made that change.
I will attach a new patch and two screenshots that
illustrate this new proposal.
If you agree with this change, could you please review
the human readable wording for all the EC ciphers?
I didn't think much about it, but split the 20 ciphers
into groups and tabs of 10 ECDHE and 10 ECDH ciphers.
The new patch contains an additional small change,
it exports function decode_ec_params so it can be used
in bug 326159.
Blocks: 326159
Assignee | ||
Comment 40•19 years ago
|
||
Rereading comment 26, comment 29 and comment 35, I think it will need more thinking what new ECC/Suite-B UI we should propose for Firefox/Thunderbird.
Assignee | ||
Comment 41•19 years ago
|
||
Changing summary to indicate this bug is only partially about UI.
Summary: Add UI for TLS ECC cipher suites → TLS ECC cipher suites: PSM backend, KEYGEN, SeaMonkey UI
Assignee | ||
Comment 42•19 years ago
|
||
The new patch also addresses timeless' code review comment 23.
Assignee | ||
Comment 43•19 years ago
|
||
> >Index: mozilla/security/manager/ssl/src/nsKeygenHandler.cpp
> >+static SECKEYECParams *
> >+decode_ec_params(char *curve)
> >+ ecparams = SECITEM_AllocItem(NULL, NULL, (2 + oidData->oid.len));
> >+ ecparams->data[0] = SEC_ASN1_OBJECT_ID;
> you just crashed. please check for allocation failure.
Null check added
> > nsKeygenFormProcessor::GetPublicKey(nsAString& aValue, nsAString& aChallenge,
> > nsAFlatString& aKeyType,
> >+ nsAString& aOutPublicKey, nsAString& aKeyParams)
> >@@ -406,12 +540,12 @@
> > } else if (aKeyType.EqualsIgnoreCase("dsa")) {
> > char * end;
> >+ keyparamsString = ToNewCString(aKeyParams);
> > type = dsaKey;
> > keyGenMechanism = CKM_DSA_KEY_PAIR_GEN;
> >+ if (strcmp(keyparamsString, "null") == 0)
> you just crashed in libc because no one null checked ToNewCString (yes, i know,
> you're just changing blame and variable names. i don't care.)
Somebody already added a null check in the latest patch
> >@@ -424,6 +558,13 @@
> > found_match:
> > pqgParams = decode_pqg_params(str);
> >+#ifdef NSS_ENABLE_ECC
> >+ } else if (aKeyType.EqualsIgnoreCase("ec")) {
> >+ keyparamsString = ToNewCString(aKeyParams);
> i'm guessing this will cause issues if you don't check the allocation for
> failure.
Null check added
> > printableItem = new nsNSSASN1PrintableItem();
> no one null checked this for alloc failure, so you're now responsible for the
> crash that follows.
Null check added
Assignee | ||
Comment 44•19 years ago
|
||
Attachment #210976 -
Attachment is obsolete: true
Attachment #210977 -
Attachment is obsolete: true
Assignee | ||
Comment 45•19 years ago
|
||
Assignee | ||
Comment 46•19 years ago
|
||
Comment 47•19 years ago
|
||
Can any one think of a reason to enable an ECDH suite and not also the corresponding ECDHE suite, or vice versa?
I think we could just combine the two, and enable ECDH(e)_ECDSA together
in one check box.
Also, I still think a "suite B" button is a reasonable idea, despite
lack of curve controls (at present).
Initially, it can mean "exclude any non-suite-B algorithms", and then
later it can also imply "exclude any non-suite-B curves".
Assignee | ||
Comment 48•19 years ago
|
||
> Can any one think of a reason to enable an ECDH suite and not also the
> corresponding ECDHE suite, or vice versa?
>
> I think we could just combine the two, and enable ECDH(e)_ECDSA together
> in one check box.
If it does not make sense to enable them individually, I wonder why NSS offers them as separate cipher suites.
The current pref system has an automatic mapping from one checkbox to one NSS cipher suite. If you want to change that, to map one checkbox to multiple cipher suite preferences, that would require more work than I'd personally be willing to invest in a SeaMonkey only patch.
Comment 49•19 years ago
|
||
(In reply to comment #39)
> I am proposing to undo the change you proposed to the
> "Extra SSL3/TLS" tab, but add all EC ciphers in new
> tabs of the dialog.
> I didn't think much about it, but split the 20 ciphers
> into groups and tabs of 10 ECDHE and 10 ECDH ciphers.
My main concern with this approach is that it treats
ECC ciphers differently than existing ciphers using
other key exchange mechanisms, e.g. RSA, DHE.
I do realize that adding another 20 ciphers in the
Extra SSL3/TLS tab is also not an attractive option.
So I'm out of ideas on this one and perhaps we
should just add a new tab labelled "Extra ECC"
(or similar) and put all the ECC ciphers there.
thoughts?
vipul
Assignee | ||
Comment 50•19 years ago
|
||
More than 12 ciphers per page will make the dialog too large for small screens. That was the reason why I split the list.
Now that we have much more ciphers, and offering them all exceeds the limits of our current UI, and it would require more thinking and work to come up with a good solution, that will be SeaMonkey only, we have one more option: Remove the "edit ciphers" button and the dialog, and point people to about:config - which works in SeaMonkey, too.
Comment 51•19 years ago
|
||
Comment on attachment 215954 [details] [diff] [review]
Patch 2006-03-23 for 1.8 branch
just a minor note, there seem to be places where you have 4/2 and 4/3 indentation instead of simply 4 space or 2 space...
Assignee | ||
Comment 52•19 years ago
|
||
Vipul wrote:
> We need to be careful about this. "Suite B" only includes
> a small subset of the total curves supported in NSS and currently
> there is no API in NSS to enable/disable specific curves. One can
> enable/disable specific ECC cipher suites in TLS (for example)
> but there's no knob to choose specific curves.
Nelson wrote:
> Also, I still think a "suite B" button is a reasonable idea, despite
> lack of curve controls (at present).
> Initially, it can mean "exclude any non-suite-B algorithms", and then
> later it can also imply "exclude any non-suite-B curves".
Nelson, you are proposing a UI that uses a wording "Suite B only",
but for the time being, allow it to have curves enabled, that
are not Suite B?
I think that would be confusing.
What is the motivation for exposing a "Suite B" UI to end users?
The only motivation I can see is, if a user decides,
"I only want this cool new stuff", am I right?
How likely is it a user will want to enable this any time soon?
As ECC support is just starting to come up, it appears very unlikely
to me that users want to disable "old SSL/TLS stuff" any time soon,
because they want to communicate with all the servers they find in
the wild.
If my understanding is right, I'd say, we don't need this UI
short term, but could postpone adding that UI to a later version.
If somebody really wants to use only Suite-B immediately,
they can change the prefs.
If you think, disabling several individual ciphers prefs
(using about:config) is too much of a hassle for admins or end
users, we could start using a new "Suite B only" hidden pref.
If you think we should add that pref, I propose we make that pref
correct with regards to its meaning, right from the beginning.
That means, I propose to have a "positive list" of the ciphers
known to be part of Suite B at compile time
(because Vipul explained, we want to enable EC ciphers that
are not part of Suite B).
So I see the following options.
Let's start with the simplest, Thunderbird.
As of today, Thunderbird does not even have a UI to enable/disable
SSL versions. It's unlikely that we will get approval to add
a "Suite B SSL" UI.
However, a "Suite B hidden pref" solution would apply to TB, too.
For Firefox (and SeaMonkey) I see the following options:
a) Do not add a checkbox to Firefox.
Do not add a hidden "only Suite B" pref.
Just have all the individual cipher prefs, so users and
admins can control which ciphers they want.
b) Do not add a checkbox to Firefox.
Add a new "only Suite B" hidden pref,
in addition to all the individual ciphers prefs,
Add a positive list to our C++ files that explicitly
list all Suite B ciphers/curves known at compile time.
This pref will be disabled by default.
If user enables pref,
only the Suite B ciphers/curves will be enabled,
all other curves disabled,
and all non EC ciphers disabled.
c) Add a checkbox that says "Suite B" only,
that controls the same positive list as described above in (b)
For SeaMonkey (Mozilla Suite) ciphers I see the following options:
d) Take the simple patch and screenshot as is.
e) Invest more time and work to make the "edit ciphers" dialog
"more reasonable".
f) Remove the "Edit Ciphers" button and dialog,
just have users go to about:config
My personal votes are:
(a) (because I think the UI is not required initially)
but I could live with (b),
and I think (c) will be difficult to get into FireFox 2,
because we'll have to convince the Firefox UI owners
this control makes sense. Seems unlikely to me at
this point of time, where EC is not yet used.
and
(f) (because I think working on "SeaMonkey only" logic
is not worth it)
What are you voting for?
Assignee | ||
Comment 53•19 years ago
|
||
This Seamonkey-only patch removes the "edit ciphers" button from preferences UI.
It also removes the dialogs that edit and information dialogs that can be accessed using the button.
It seems reasonable to remove this UI,
- as the list of ciphers will grow,
- the UI will soon be incomplete,
- all ciphers (old and new) can be controlled using about:config anyway
Neil, are you ok with this change?
Attachment #215955 -
Attachment is obsolete: true
Attachment #215956 -
Attachment is obsolete: true
Attachment #217425 -
Flags: ui-review?(neil)
Assignee | ||
Comment 54•19 years ago
|
||
This Patch v11 is based on Patch 2006-03-32, with the following differences:
- removed the code that changes the "edit ciphers" UI
- set NSS_ENABLE_ECC from within PSM Makefile, eliminating the need to set environment variables
Attachment #215954 -
Attachment is obsolete: true
Attachment #217431 -
Flags: review?(rrelyea)
Updated•19 years ago
|
Attachment #217425 -
Flags: ui-review?(neil) → ui-review+
Comment 55•19 years ago
|
||
Comment on attachment 217431 [details] [diff] [review]
Patch v11
r+=relyea
Attachment #217431 -
Flags: review?(rrelyea) → review+
Assignee | ||
Comment 56•19 years ago
|
||
This version incorporates changes proposed by Bob.
- in nsKeygenHandler.cpp, there was an inconsistency between the curves
menionted in the comment, and curves used in the actual code.
I adjusted the comment.
- I changed the Low/512 security choice,
we no longer use secp160r1, but secp192r1.
Bob argued, this curve is faster in our code, and is more likely
to be compatible with other's code.
Although this change does not have much real world effect,
as our UI does not offer the user the Low security choice,
but medium and high only.
(But still, this mapping helps when the code is executed in the
context of the crypto.generateCRMFRequest function)
- Finally I removed #define DEFAULT_CURVE_OID_TAG
because it is never used.
Attachment #217431 -
Attachment is obsolete: true
Attachment #218288 -
Flags: review+
Assignee | ||
Comment 57•19 years ago
|
||
The previous patch revision v12 contained code, that is related to key generation. I moved those portions over to patch v4 in bug 326159.
In addition, this patch now enables all the new ciphers by default (expect the NULL ciphers).
Attachment #218288 -
Attachment is obsolete: true
Assignee | ||
Updated•19 years ago
|
Summary: TLS ECC cipher suites: PSM backend, KEYGEN, SeaMonkey UI → TLS ECC cipher suites: PSM backend, SeaMonkey UI
Assignee | ||
Updated•19 years ago
|
Attachment #219899 -
Flags: review?
Assignee | ||
Updated•19 years ago
|
Attachment #219899 -
Flags: review? → review?(rrelyea)
Comment 58•19 years ago
|
||
Comment on attachment 219899 [details] [diff] [review]
Patch v13
r=darin for the necko part
Attachment #219899 -
Flags: review+
Comment 59•19 years ago
|
||
Comment on attachment 219899 [details] [diff] [review]
Patch v13
r+=rrelyea.
Attachment #219899 -
Flags: review?(rrelyea) → review+
Assignee | ||
Comment 60•19 years ago
|
||
Attachment #220163 -
Flags: review?(rrelyea)
Assignee | ||
Comment 61•19 years ago
|
||
Attachment #220164 -
Flags: review?(wtchang)
Attachment #220164 -
Flags: approval-branch-1.8.1?(wtchang)
Assignee | ||
Updated•19 years ago
|
Attachment #217425 -
Flags: review?(rrelyea)
Comment 62•19 years ago
|
||
Comment on attachment 220164 [details] [diff] [review]
patch to check out NSS_3_11_2_BETA_20060428_TAG
r=wtc. I verified that the tag is the same as
the tip of the NSS_3_11_BRANCH.
Attachment #220164 -
Flags: review?(wtchang)
Attachment #220164 -
Flags: review+
Attachment #220164 -
Flags: approval-branch-1.8.1?(wtchang)
Attachment #220164 -
Flags: approval-branch-1.8.1+
Comment 63•19 years ago
|
||
Comment on attachment 220163 [details] [diff] [review]
PSM makefile patch to enable ECC in NSS
This patch works, but I'd do it in a different way
if PSM will always have ECC enabled.
In mozilla/security/manager/Makefile.in, add
DEFAULT_GMAKE_FLAGS += NSS_ENABLE_ECC=1
In the PSM source files, just get rid of
#ifdef NSS_ENABLE_ECC.
Assignee | ||
Comment 64•19 years ago
|
||
Attachment #220163 -
Attachment is obsolete: true
Attachment #220210 -
Flags: review?(wtchang)
Attachment #220163 -
Flags: review?(rrelyea)
Comment 65•19 years ago
|
||
Comment on attachment 220210 [details] [diff] [review]
PSM makefile patch2 to enable ECC in NSS
r=wtc.
Attachment #220210 -
Flags: review?(wtchang) → review+
Comment 66•19 years ago
|
||
Comment on attachment 217425 [details] [diff] [review]
Patch, Seamonkey only, removes UI to edit and show cipher info
r+=rrelyea
Attachment #217425 -
Flags: review?(rrelyea) → review+
Assignee | ||
Updated•19 years ago
|
Attachment #220164 -
Attachment is obsolete: true
Assignee | ||
Comment 67•19 years ago
|
||
This patch is mostly the same as Patch v13, however, it is a less intrusive patch. In this patch the new ciphers are now DISABLED by default (set to false).
This change has r=wtchang over the phone.
I'm carrying forward the reviews for the remained of the patch.
Attachment #219899 -
Attachment is obsolete: true
Attachment #222058 -
Flags: review+
Assignee | ||
Comment 68•19 years ago
|
||
Comment 69•19 years ago
|
||
Comment on attachment 222058 [details] [diff] [review]
Patch v13 b
What is the motivation for this patch?
Assignee | ||
Comment 70•19 years ago
|
||
Comment on attachment 222061 [details] [diff] [review]
Patch to change ECC prefs from disabled to enabled
sorry, there was a misunderstanding on my part
Attachment #222061 -
Attachment is obsolete: true
Assignee | ||
Updated•19 years ago
|
Attachment #222058 -
Attachment is obsolete: true
Attachment #222058 -
Flags: review+ → review-
Assignee | ||
Comment 71•19 years ago
|
||
Comment on attachment 219899 [details] [diff] [review]
Patch v13
I'm taking back my obsolete flag on this patch. This is still what we want.
Attachment #219899 -
Attachment is obsolete: false
Assignee | ||
Updated•19 years ago
|
Attachment #219899 -
Flags: approval-branch-1.8.1+
Assignee | ||
Comment 72•19 years ago
|
||
Comment on attachment 219899 [details] [diff] [review]
Patch v13
This patch has been checked in on the trunk with checkin comment:
"This check in will make PSM aware of ECC cipher suites. Nightly builds will not yet contain ECC, because NSS is still being compiled with ECC disabled."
Assignee | ||
Updated•19 years ago
|
Attachment #217425 -
Flags: approval-branch-1.8.1+
Assignee | ||
Comment 73•19 years ago
|
||
Comment on attachment 217425 [details] [diff] [review]
Patch, Seamonkey only, removes UI to edit and show cipher info
In addition to Neil's UI approval for this SeaMonkey only UI-removal patch, I just received 1.8 branch approval from CTho (cst at andrew.cmu.edu) on IRC.
Assignee | ||
Comment 74•19 years ago
|
||
Comment on attachment 219899 [details] [diff] [review]
Patch v13
This patch has been checked in to MOZILLA_1_8_BRANCH with checkin comment:
"This check in will make PSM aware of ECC cipher suites. Nightly builds will not yet contain ECC, because NSS is still being compiled with ECC disabled."
Comment 75•19 years ago
|
||
Comment on attachment 217425 [details] [diff] [review]
Patch, Seamonkey only, removes UI to edit and show cipher info
Checking in (1.8 branch)
locales/en-US/chrome/pippki/pref-ssl.dtd;
new revision: 1.1.8.3; previous revision: 1.1.8.2
pki/resources/content/pref-ssl.xul;
new revision: 1.27.8.3; previous revision: 1.27.8.2
done
Removing (1.8 branch)
pki/resources/content/cipherinfo.js;
new revision: delete; previous revision: 1.1
pki/resources/content/cipherinfo.xul;
new revision: delete; previous revision: 1.2
pki/resources/content/pref-ciphers.js;
new revision: delete; previous revision: 1.4
pki/resources/content/pref-ciphers.xul;
new revision: delete; previous revision: 1.13.18.1
pki/resources/content/ssl2ciphers.xul;
new revision: delete; previous revision: 1.1.92.1
pki/resources/content/ssl3tlsciphers.xul;
new revision: delete; previous revision: 1.1
done
Comment 76•19 years ago
|
||
Missing jar diff changes.
Note to kaie should ssl3tlsciphers2.xul still be in the tree?
Comment 77•19 years ago
|
||
Comment on attachment 222814 [details] [diff] [review]
Missing jar diff patch
Checking in (1.8 branch)
jar.mn;
new revision: 1.45.4.4; previous revision: 1.45.4.3
done
Assignee | ||
Comment 78•19 years ago
|
||
Comment on attachment 222814 [details] [diff] [review]
Missing jar diff patch
ssl3tlsciphers2.xul can be cleared/removed, too, and the jar.mn change should be applied to the trunk, too.
Attachment #222814 -
Flags: review+
Comment 79•19 years ago
|
||
(In reply to comment #78)
> (From update of attachment 222814 [details] [diff] [review] [edit])
> ssl3tlsciphers2.xul can be cleared/removed, too, and the jar.mn change should
> be applied to the trunk, too.
>
Checking in (1.8 branch)
jar.mn;
new revision: 1.45.4.5; previous revision: 1.45.4.4
Removing (1.8 branch)
content/ssl3tlsciphers2.xul;
new revision: delete; previous revision: 1.3
done
Comment 80•19 years ago
|
||
Jar change patch for trunk, carrying forward r=
Attachment #222862 -
Flags: review+
Comment 81•19 years ago
|
||
Comment on attachment 222862 [details] [diff] [review]
Trunk jar patch
Checking in (trunk)
jar.mn;
new revision: 1.49; previous revision: 1.48
Removing (trunk)
content/cipherinfo.js;
new revision: delete; previous revision: 1.2
content/cipherinfo.xul;
new revision: delete; previous revision: 1.3
content/pref-ciphers.js;
new revision: delete; previous revision: 1.5
content/pref-ciphers.xul;
new revision: delete; previous revision: 1.15
content/ssl2ciphers.xul;
new revision: delete; previous revision: 1.3
content/ssl3tlsciphers.xul;
new revision: delete; previous revision: 1.2
content/ssl3tlsciphers2.xul;
new revision: delete; previous revision: 1.3
done
Updated•18 years ago
|
Priority: -- → P1
Target Milestone: --- → mozilla1.8.1
Assignee | ||
Updated•18 years ago
|
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Attachment #220210 -
Flags: approval1.8.1?
Comment 82•18 years ago
|
||
Comment on attachment 220210 [details] [diff] [review]
PSM makefile patch2 to enable ECC in NSS
a=darin on behalf of drivers
Attachment #220210 -
Flags: approval1.8.1? → approval1.8.1+
Assignee | ||
Updated•18 years ago
|
Keywords: fixed1.8.1
You need to log in
before you can comment on or make changes to this bug.
Description
•