Closed
Bug 236507
(ecc)
Opened 21 years ago
Closed 18 years ago
Enable ECC ciphersuites by default in PSM
Categories
(Core Graveyard :: Security: UI, enhancement, P2)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: nelson, Assigned: KaiE)
References
Details
The following comments were extracted from bug 235773.
Several comments about turning ECC on in mozilla by default.
1. Best to wait until the ECC-TLS drafts become an RFC.
2. IINM, the implementation of ECC/TLS in NSS matches an older draft,
not draft 5 (current draft as of this writing).
Draft 5 includes negotiation of ECC curves in TLS/SSL. The earlier draft,
now implemented in NSS (and IINM in OpenSSL and elsewhere) did not feature
negotiation of ECC curves. This meant that a client and a server that both
supported ECC ciphersuites (but disjoint sets of curves) and also both
supported a common set of non-ECC ciphersuites could (and probably would)
negotiate an ECC ciphersuite and then fail to complete the handshake,
rather than succesfully handshaking with a Non-ECC ciphersuite.
For a browser user, that problem would be highly similar to the "TLS
intolerance" problem, which mozilla now works around by reconnecting and
rehandshaking with TLS disabled after a failed handshake with it enabled.
This is known as "transparent recovery". Before mozilla added that, users
found it necessary to disable TLS to connect to many secure web sites.
I think it's clear that we don't want users having to do that for ECC.
IMO, we also don't want mozilla to make more than 2 attempts to connect
and handshake in order to succesfully conclude one handshake, as it might
if it had to try once with ECC, once with TLS but not ECC, and finally
perhaps a third time with only SSL3 and not ECC.
Internet Draft 5 of ECC/TLS provides ECC curve negotiation which will
solve this problem, but only if/when SSL/TLS handshakes stop using SSL2
compatible client hellos. IOW, SSL2 must die before ECC/TLS becomes
viable (IMO). And curve negotiation is not yet implemented in NSS, IINM.
So, I think we've got a ways further to go before we're ready to enable
ECC/TLS by default. But I do hope we'll get there before too long.
And adding UI to enable/disable ECC/TLS is a good step in the meantime.
|
Assignee | |
Comment 1•20 years ago
|
||
You are requesting that we could start with a simple first step, adding UI for
the new SSL mode, adding a pref to store the selection, and by using the new
pref, like we currently do for the SSL v2 / v3 /TLS prefs.
That should be straightforward and easy to do.
|
|
Assignee | |
Comment 2•20 years ago
|
||
Mozilla/PSM uses the following calls to enable SSL v2/v3/TLS:
PRBool enabled;
mPrefBranch->GetBoolPref("security.enable_ssl2", &enabled);
SSL_OptionSetDefault(SSL_ENABLE_SSL2, enabled);
mPrefBranch->GetBoolPref("security.enable_ssl3", &enabled);
SSL_OptionSetDefault(SSL_ENABLE_SSL3, enabled);
mPrefBranch->GetBoolPref("security.enable_tls", &enabled);
SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled);
However, I can't find other constants in NSS that would enable something like ECC.
Nelson, please advise how to instruct NSS to do what you suggest.
Priority: -- → P2
|
||
Comment 3•20 years ago
|
||
Hello Kai,
If you look at the patch for Bug 235773, it already does this.
In particular, it adds check boxes for ECC ciphersuites in
Mozilla preferences Privacy & Privacy->SSL->Edit Ciphers
->Extra SSL3/TLS ciphers. Let me know if that's not
what you are looking for.
vipul
(In reply to comment #2)
> Mozilla/PSM uses the following calls to enable SSL v2/v3/TLS:
> PRBool enabled;
> mPrefBranch->GetBoolPref("security.enable_ssl2", &enabled);
> SSL_OptionSetDefault(SSL_ENABLE_SSL2, enabled);
> mPrefBranch->GetBoolPref("security.enable_ssl3", &enabled);
> SSL_OptionSetDefault(SSL_ENABLE_SSL3, enabled);
> mPrefBranch->GetBoolPref("security.enable_tls", &enabled);
> SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled);
>
> However, I can't find other constants in NSS that would enable something like ECC.
>
> Nelson, please advise how to instruct NSS to do what you suggest.
>
|
Reporter | |
Comment 4•20 years ago
|
||
(In reply to comment #3), Vipul wrote:
> If you look at the patch for Bug 235773, it already does this.
*The* patch? There are 6 patches attached to that bug.
|
|
||
Comment 5•20 years ago
|
||
I should have been more explicit. For Mozilla, attachment 147067 [details] [diff] [review]
is what I meant (for Firefox, the equivalent patch is in attchment
163877).
thanks,
vipul
(In reply to comment #4)
> (In reply to comment #3), Vipul wrote:
> > If you look at the patch for Bug 235773, it already does this.
>
> *The* patch? There are 6 patches attached to that bug.
>
>
|
|
Assignee | |
Comment 6•20 years ago
|
||
Making dependent on bug 235773.
Before (or at the same time) we enable them by default, the UI allowing to
disable must be in place.
Depends on: eccui
|
|
Assignee | |
Updated•19 years ago
|
Alias: ecc
|
|
Assignee | |
Comment 7•19 years ago
|
||
Because of the availability of about:config
we can disregard my comment 5.
|
|
Assignee | |
Comment 8•18 years ago
|
||
Happened for SSL/TLS as part of other checkins.
WORKSFORME
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
|
||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•