Closed
Bug 415033
Opened 16 years ago
Closed 16 years ago
Enable TLS session ticket extension in FF
Categories
(Core :: Security: PSM, enhancement, P2)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla1.9beta4
People
(Reporter: ngm+mozilla, Assigned: KaiE)
References
Details
(Keywords: perf, relnote)
Attachments
(1 file, 3 obsolete files)
2.23 KB,
patch
|
wtc
:
review+
rrelyea
:
review+
KaiE
:
review+
damons
:
approval1.9+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 Build Identifier: Bug 403563 describes a feature enhancement to TLS implementation in NSS: the TLS Session Ticket Extension, as specified in rfc4507bis. This bug tracks an enhancement to FF that enables the Session Ticket Extension for all secure connections. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Reporter | ||
Comment 1•16 years ago
|
||
Comment 2•16 years ago
|
||
I think this belongs to product: "core", component: "Security: PSM".
Reporter | ||
Updated•16 years ago
|
Product: Firefox → Core
Version: unspecified → psm2.4
please include -p in your diff flags. is there something that explains why we're adding the feature? (a requirements document...)
Assignee: nobody → kengert
Component: Security → Security: PSM
QA Contact: firefox → psm
Version: psm2.4 → Trunk
Reporter | ||
Comment 4•16 years ago
|
||
Shortened SSL_ENABLE_SESSION_TICKET_EXTENSION to SSL_ENABLE_SESSION_TICKETS.
Attachment #300602 -
Attachment is obsolete: true
Reporter | ||
Comment 5•16 years ago
|
||
(In reply to comment #3) > please include -p in your diff flags. > > is there something that explains why we're adding the feature? (a requirements > document...) > This feature is not listed in the FF3 PRD; I am describing the feature below. Please let me know this description should also appear elsewhere. -- The TLS Session Ticket Extension (described in RFC4507bis), allows servers to pass SSL session state to clients in the form of an encrypted ticket. This feature allows browsers to resume connections with load balanced server pools without placing requirements on server affinity. Note that server affinity for SSL means that load balancers need to terminate TCP connections, read the SSL session ID, and then forward the connection appropriately. The session ticket extension allows servers and load-balancers to be state-less, at least from an SSL perspective. Higher SSL resume rates imply lower average handshake latency (by one round trip), and lower CPU load on servers that results from avoiding public key operations. Hopefully lower latency and CPU load will encourage service providers to increase their use of SSL. From a security perspective, client side impact is minimal -- clients treat tickets as opaque data afterall (most of the changes are server side -- creation and usage of tickets). We have tested interoperability with OpenSSL, which included support for the Session Ticket Extension as of the 0.9.8g release.
Updated•16 years ago
|
Flags: wanted1.9+
Priority: -- → P2
Updated•16 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Reporter | ||
Comment 7•16 years ago
|
||
* Added an about:config item for the TLS session ticket extension
Attachment #300736 -
Attachment is obsolete: true
Comment 8•16 years ago
|
||
Comment on attachment 304926 [details] [diff] [review] Enable TLS Session Ticket Extension in FF (v3) Kai, could you also take a look at this patch? This patch modifies three files. 1. mozilla/netwerk/base/public/security-prefs.js The change is good. 2. mozilla/security/manager/ssl/src/nsNSSComponent.cpp The changes look good, except that I'm not sure if we need to clear the session cache when the user toggles the TLS session tickets preference setting. Nagendra, did you set clearSessionCache = PR_TRUE deliberately, or did you copy it from the SSL_ENABLE_TLS code above inadvertently? Do you think we should clear the session cache? By the way, does your editor automatically delete blank lines at the end of files? 3. mozilla/security/manager/ssl/src/nsNSSIOLayer.cpp I believe the change is now incorrect because of the use of preference setting. We need to delete this code.
Attachment #304926 -
Flags: review?(kengert)
Reporter | ||
Comment 9•16 years ago
|
||
(In reply to comment #8) > (From update of attachment 304926 [details] [diff] [review]) > Kai, could you also take a look at this patch? > > This patch modifies three files. > > 1. mozilla/netwerk/base/public/security-prefs.js > > The change is good. > > 2. mozilla/security/manager/ssl/src/nsNSSComponent.cpp > > The changes look good, except that I'm not sure if we > need to clear the session cache when the user toggles > the TLS session tickets preference setting. > > > Nagendra, did you set clearSessionCache = PR_TRUE > deliberately, or did you copy it from the SSL_ENABLE_TLS > code above inadvertently? > > Do you think we should clear the session cache? > I decided to clear the session cache so that session ticket behavior will change immediately, but you are right -- there is no need to clear the session cache as tickets will not be sent if the option is disabled. I have reverted this line. > By the way, does your editor automatically delete blank > lines at the end of files? Yes, emacs seems to be clever that way. I've fixed this. > > 3. mozilla/security/manager/ssl/src/nsNSSIOLayer.cpp > > I believe the change is now incorrect because of the > use of preference setting. We need to delete this > code. > Reverted these changes. Patch to follow shortly.
Reporter | ||
Comment 10•16 years ago
|
||
Addressing Wan-Teh's comments. I built Minefield using this patch and the option shows up in the about:config page as expected.
Attachment #304926 -
Attachment is obsolete: true
Attachment #304926 -
Flags: review?(kengert)
Comment 11•16 years ago
|
||
wtc, Nagendra, we're really interested in getting this for FF3. Thanks so much.
Comment 12•16 years ago
|
||
Comment on attachment 305117 [details] [diff] [review] Enable TLS Session Ticket Extension in FF (v3.1) r=wtc
Attachment #305117 -
Flags: review+
Updated•16 years ago
|
Attachment #305117 -
Flags: review?(kengert)
Comment 13•16 years ago
|
||
Comment on attachment 305117 [details] [diff] [review] Enable TLS Session Ticket Extension in FF (v3.1) r+ please add kai to the CC list, though. bob
Attachment #305117 -
Flags: review?(kengert) → review+
Comment 14•16 years ago
|
||
Comment on attachment 305117 [details] [diff] [review] Enable TLS Session Ticket Extension in FF (v3.1) I don't know if two module peer's reviews are enough for a PSM patch, or we need at least one module owner's review.
Attachment #305117 -
Flags: review?(kengert)
Assignee | ||
Comment 15•16 years ago
|
||
Comment on attachment 305117 [details] [diff] [review] Enable TLS Session Ticket Extension in FF (v3.1) r=kengert You do not need superreview if you have two or more PSM peer/module owner reviews.
Attachment #305117 -
Flags: review?(kengert) → review+
Comment 16•16 years ago
|
||
Comment on attachment 305117 [details] [diff] [review] Enable TLS Session Ticket Extension in FF (v3.1) Requesting approval to check in the patch on the Mozilla trunk for Firefox 3 Beta 4. This patch adds a hidden preference for enabling or disabling the TLS session ticket extension. The preference is on by default. The preference has no effect if the NSS libraries don't support this TLS extension. This allows us to work with different versions of (bundled or system) NSS.
Attachment #305117 -
Flags: approval1.9?
Comment 17•16 years ago
|
||
Comment on attachment 305117 [details] [diff] [review] Enable TLS Session Ticket Extension in FF (v3.1) a1.9+=damons
Attachment #305117 -
Flags: approval1.9? → approval1.9+
Comment 18•16 years ago
|
||
Comment on attachment 305117 [details] [diff] [review] Enable TLS Session Ticket Extension in FF (v3.1) I checked in the patch on the Mozilla trunk for FF 3 Beta 4. Checking in netwerk/base/public/security-prefs.js; /cvsroot/mozilla/netwerk/base/public/security-prefs.js,v <-- security-prefs.js new revision: 1.20; previous revision: 1.19 done Checking in security/manager/ssl/src/nsNSSComponent.cpp; /cvsroot/mozilla/security/manager/ssl/src/nsNSSComponent.cpp,v <-- nsNSSComponent.cpp new revision: 1.158; previous revision: 1.157 done
Updated•16 years ago
|
Target Milestone: --- → mozilla1.9beta4
Comment 19•16 years ago
|
||
Looks like this landed, and so I'm closing it.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•