Enable TLS session ticket extension in FF

RESOLVED FIXED in mozilla1.9beta4

Status

()

Product:
Core
Component:
Security: PSM
P2
enhancement
RESOLVED FIXED
Reported:
10 years ago
Modified:
10 years ago

People

(Reporter: Nagendra Modadugu, Assigned: kaie)

Tracking

({perf, relnote})

Version:
Trunk
Target:
mozilla1.9beta4
Keywords:
perf, relnote
Points:
---
Dependency tree / graph
Duplicates:
404034
Bug Flags:
wanted1.9 +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 3 obsolete attachments)

Enable TLS Session Ticket Extension in FF (v3.1)
2.23 KB, patch
Wan-Teh Chang
: review+
Robert Relyea
: review+
kaie
: review+
damons
: approval1.9+
Details | Diff | Splinter Review
(Reporter)

Description

10 years ago 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Build Identifier: 

Bug 403563 describes a feature enhancement to TLS implementation in NSS: the TLS Session Ticket Extension, as specified in rfc4507bis.

This bug tracks an enhancement to FF that enables the Session Ticket Extension for all secure connections.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
(Reporter)

Comment 1

10 years ago 
Created attachment 300602 [details] [diff] [review]
Enable TLS Session Ticket Extension in FF
 (Reporter)

Updated

10 years ago
Depends on: 403563
Hardware: PC → All

Comment 2

10 years ago 
I think this belongs to product: "core", component: "Security: PSM".
 (Reporter)

Updated

10 years ago
Component: Security → Security
Product: Firefox → Core
Version: unspecified → psm2.4

Comment 3

10 years ago 
please include -p in your diff flags.

is there something that explains why we're adding the feature? (a requirements document...)
Assignee: nobody → kengert
Component: Security → Security: PSM
QA Contact: firefox → psm
Version: psm2.4 → Trunk
 (Reporter)

Comment 4

10 years ago 
Created attachment 300736 [details] [diff] [review]
 Enable TLS Session Ticket Extension in FF (v2)

Shortened SSL_ENABLE_SESSION_TICKET_EXTENSION to SSL_ENABLE_SESSION_TICKETS.
Attachment #300602 - Attachment is obsolete: true
 (Reporter)

Comment 5

10 years ago 
(In reply to comment #3)
> please include -p in your diff flags.
> 
> is there something that explains why we're adding the feature? (a requirements
> document...)
> 

This feature is not listed in the FF3 PRD; I am describing the feature below.  Please let me know this description should also appear elsewhere.
--
The TLS Session Ticket Extension (described in RFC4507bis), allows servers to pass SSL session state to clients in the form of an encrypted ticket.  This feature allows browsers to resume connections with load balanced server pools without placing requirements on server affinity.  Note that server affinity for SSL means that load balancers need to terminate TCP connections, read the SSL session ID, and then forward the connection appropriately.  The session ticket extension allows servers and load-balancers to be state-less, at least from an SSL perspective.

Higher SSL resume rates imply lower average handshake latency (by one round trip), and lower CPU load on servers that results from avoiding public key operations.  Hopefully lower latency and CPU load will encourage service providers to increase their use of SSL.

From a security perspective, client side impact is minimal -- clients treat tickets as opaque data afterall (most of the changes are server side -- creation and usage of tickets).

We have tested interoperability with OpenSSL, which included support for the Session Ticket Extension as of the 0.9.8g release.
 (Reporter)

Updated

10 years ago
Duplicate of this bug: 404034

Updated

10 years ago
Flags: wanted1.9+
Priority: -- → P2

Updated

10 years ago
Keywords: perf

Updated

10 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
 (Reporter)

Comment 7

10 years ago 
Created attachment 304926 [details] [diff] [review]
  Enable TLS Session Ticket Extension in FF (v3)

* Added an about:config item for the TLS session ticket extension
Attachment #300736 - Attachment is obsolete: true

Comment 8

10 years ago 
Comment on attachment 304926 [details] [diff] [review]
  Enable TLS Session Ticket Extension in FF (v3)

Kai, could you also take a look at this patch?

This patch modifies three files.

1. mozilla/netwerk/base/public/security-prefs.js

The change is good.

2. mozilla/security/manager/ssl/src/nsNSSComponent.cpp

The changes look good, except that I'm not sure if we
need to clear the session cache when the user toggles
the TLS session tickets preference setting.

Nagendra, did you set clearSessionCache = PR_TRUE
deliberately, or did you copy it from the SSL_ENABLE_TLS
code above inadvertently?

Do you think we should clear the session cache?

By the way, does your editor automatically delete blank
lines at the end of files?

3. mozilla/security/manager/ssl/src/nsNSSIOLayer.cpp

I believe the change is now incorrect because of the
use of preference setting.  We need to delete this
code.
Attachment #304926 - Flags: review?(kengert)
 (Reporter)

Comment 9

10 years ago 
(In reply to comment #8)
> (From update of attachment 304926 [details] [diff] [review])
> Kai, could you also take a look at this patch?
> 
> This patch modifies three files.
> 
> 1. mozilla/netwerk/base/public/security-prefs.js
> 
> The change is good.
> 
> 2. mozilla/security/manager/ssl/src/nsNSSComponent.cpp
> 
> The changes look good, except that I'm not sure if we
> need to clear the session cache when the user toggles
> the TLS session tickets preference setting.
> 
>
> Nagendra, did you set clearSessionCache = PR_TRUE
> deliberately, or did you copy it from the SSL_ENABLE_TLS
> code above inadvertently?
> 
> Do you think we should clear the session cache?
>

I decided to clear the session cache so that session ticket behavior will change immediately, but you are right -- there is no need to clear the session cache as tickets will not be sent if the option is disabled.  I have reverted this line.

> By the way, does your editor automatically delete blank
> lines at the end of files?

Yes, emacs seems to be clever that way.  I've fixed this.

> 
> 3. mozilla/security/manager/ssl/src/nsNSSIOLayer.cpp
> 
> I believe the change is now incorrect because of the
> use of preference setting.  We need to delete this
> code.
> 

Reverted these changes.  Patch to follow shortly.
 (Reporter)

Comment 10

10 years ago 
Created attachment 305117 [details] [diff] [review]
Enable TLS Session Ticket Extension in FF (v3.1)

Addressing Wan-Teh's comments.  

I built Minefield using this patch and the option shows up in the about:config page as expected.
Attachment #304926 - Attachment is obsolete: true
Attachment #304926 - Flags: review?(kengert)

Comment 11

10 years ago 
wtc, Nagendra, we're really interested in getting this for FF3. Thanks so much.

Comment 12

10 years ago 
Comment on attachment 305117 [details] [diff] [review]
Enable TLS Session Ticket Extension in FF (v3.1)

r=wtc
Attachment #305117 - Flags: review+

Updated

10 years ago
Attachment #305117 - Flags: review?(kengert)

Comment 13

10 years ago 
Comment on attachment 305117 [details] [diff] [review]
Enable TLS Session Ticket Extension in FF (v3.1)

r+ please add kai to the CC list, though.

bob
Attachment #305117 - Flags: review?(kengert) → review+

Comment 14

10 years ago 
Comment on attachment 305117 [details] [diff] [review]
Enable TLS Session Ticket Extension in FF (v3.1)

I don't know if two module peer's reviews are enough for a PSM
patch, or we need at least one module owner's review.
Attachment #305117 - Flags: review?(kengert)
 (Assignee)

Comment 15

10 years ago 
Comment on attachment 305117 [details] [diff] [review]
Enable TLS Session Ticket Extension in FF (v3.1)

r=kengert

You do not need superreview if you have two or more PSM peer/module owner reviews.
Attachment #305117 - Flags: review?(kengert) → review+

Comment 16

10 years ago 
Comment on attachment 305117 [details] [diff] [review]
Enable TLS Session Ticket Extension in FF (v3.1)

Requesting approval to check in the patch on the Mozilla trunk
for Firefox 3 Beta 4.

This patch adds a hidden preference for enabling or disabling
the TLS session ticket extension.  The preference is on by
default.  The preference has no effect if the NSS libraries
don't support this TLS extension.  This allows us to work with
different versions of (bundled or system) NSS.
Attachment #305117 - Flags: approval1.9?

Comment 17

10 years ago 
Comment on attachment 305117 [details] [diff] [review]
Enable TLS Session Ticket Extension in FF (v3.1)

a1.9+=damons
Attachment #305117 - Flags: approval1.9? → approval1.9+

Comment 18

10 years ago 
Comment on attachment 305117 [details] [diff] [review]
Enable TLS Session Ticket Extension in FF (v3.1)

I checked in the patch on the Mozilla trunk for FF 3 Beta 4.

Checking in netwerk/base/public/security-prefs.js;
/cvsroot/mozilla/netwerk/base/public/security-prefs.js,v  <--  security-prefs.js
new revision: 1.20; previous revision: 1.19
done
Checking in security/manager/ssl/src/nsNSSComponent.cpp;
/cvsroot/mozilla/security/manager/ssl/src/nsNSSComponent.cpp,v  <--  nsNSSComponent.cpp
new revision: 1.158; previous revision: 1.157
done

Updated

10 years ago
Keywords: relnote

Updated

10 years ago
Target Milestone: --- → mozilla1.9beta4
 (Assignee)

Updated

10 years ago
Depends on: 420151

Comment 19

10 years ago 
Looks like this landed, and so I'm closing it.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.