Closed Bug 415033 Opened 14 years ago Closed 13 years ago

Enable TLS session ticket extension in FF

Categories

(Core :: Security: PSM, enhancement, P2)

enhancement

Tracking

()

RESOLVED FIXED
mozilla1.9beta4

People

(Reporter: ngm+mozilla, Assigned: KaiE)

References

Details

(Keywords: perf, relnote)

Attachments

(1 file, 3 obsolete files)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Build Identifier: 

Bug 403563 describes a feature enhancement to TLS implementation in NSS: the TLS Session Ticket Extension, as specified in rfc4507bis.

This bug tracks an enhancement to FF that enables the Session Ticket Extension for all secure connections.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Depends on: tlsste
Hardware: PC → All
I think this belongs to product: "core", component: "Security: PSM".
Product: Firefox → Core
Version: unspecified → psm2.4
please include -p in your diff flags.

is there something that explains why we're adding the feature? (a requirements document...)
Assignee: nobody → kengert
Component: Security → Security: PSM
QA Contact: firefox → psm
Version: psm2.4 → Trunk
Shortened SSL_ENABLE_SESSION_TICKET_EXTENSION to SSL_ENABLE_SESSION_TICKETS.
Attachment #300602 - Attachment is obsolete: true
(In reply to comment #3)
> please include -p in your diff flags.
> 
> is there something that explains why we're adding the feature? (a requirements
> document...)
> 

This feature is not listed in the FF3 PRD; I am describing the feature below.  Please let me know this description should also appear elsewhere.
--
The TLS Session Ticket Extension (described in RFC4507bis), allows servers to pass SSL session state to clients in the form of an encrypted ticket.  This feature allows browsers to resume connections with load balanced server pools without placing requirements on server affinity.  Note that server affinity for SSL means that load balancers need to terminate TCP connections, read the SSL session ID, and then forward the connection appropriately.  The session ticket extension allows servers and load-balancers to be state-less, at least from an SSL perspective.

Higher SSL resume rates imply lower average handshake latency (by one round trip), and lower CPU load on servers that results from avoiding public key operations.  Hopefully lower latency and CPU load will encourage service providers to increase their use of SSL.

From a security perspective, client side impact is minimal -- clients treat tickets as opaque data afterall (most of the changes are server side -- creation and usage of tickets).

We have tested interoperability with OpenSSL, which included support for the Session Ticket Extension as of the 0.9.8g release.
Duplicate of this bug: 404034
Flags: wanted1.9+
Priority: -- → P2
Keywords: perf
Status: UNCONFIRMED → NEW
Ever confirmed: true
* Added an about:config item for the TLS session ticket extension
Attachment #300736 - Attachment is obsolete: true
Comment on attachment 304926 [details] [diff] [review]
  Enable TLS Session Ticket Extension in FF (v3)

Kai, could you also take a look at this patch?

This patch modifies three files.

1. mozilla/netwerk/base/public/security-prefs.js

The change is good.

2. mozilla/security/manager/ssl/src/nsNSSComponent.cpp

The changes look good, except that I'm not sure if we
need to clear the session cache when the user toggles
the TLS session tickets preference setting.

Nagendra, did you set clearSessionCache = PR_TRUE
deliberately, or did you copy it from the SSL_ENABLE_TLS
code above inadvertently?

Do you think we should clear the session cache?

By the way, does your editor automatically delete blank
lines at the end of files?

3. mozilla/security/manager/ssl/src/nsNSSIOLayer.cpp

I believe the change is now incorrect because of the
use of preference setting.  We need to delete this
code.
Attachment #304926 - Flags: review?(kengert)
(In reply to comment #8)
> (From update of attachment 304926 [details] [diff] [review])
> Kai, could you also take a look at this patch?
> 
> This patch modifies three files.
> 
> 1. mozilla/netwerk/base/public/security-prefs.js
> 
> The change is good.
> 
> 2. mozilla/security/manager/ssl/src/nsNSSComponent.cpp
> 
> The changes look good, except that I'm not sure if we
> need to clear the session cache when the user toggles
> the TLS session tickets preference setting.
> 
>
> Nagendra, did you set clearSessionCache = PR_TRUE
> deliberately, or did you copy it from the SSL_ENABLE_TLS
> code above inadvertently?
> 
> Do you think we should clear the session cache?
>

I decided to clear the session cache so that session ticket behavior will change immediately, but you are right -- there is no need to clear the session cache as tickets will not be sent if the option is disabled.  I have reverted this line.

> By the way, does your editor automatically delete blank
> lines at the end of files?

Yes, emacs seems to be clever that way.  I've fixed this.

> 
> 3. mozilla/security/manager/ssl/src/nsNSSIOLayer.cpp
> 
> I believe the change is now incorrect because of the
> use of preference setting.  We need to delete this
> code.
> 

Reverted these changes.  Patch to follow shortly.
Addressing Wan-Teh's comments.  

I built Minefield using this patch and the option shows up in the about:config page as expected.
Attachment #304926 - Attachment is obsolete: true
Attachment #304926 - Flags: review?(kengert)
wtc, Nagendra, we're really interested in getting this for FF3. Thanks so much.
Comment on attachment 305117 [details] [diff] [review]
Enable TLS Session Ticket Extension in FF (v3.1)

r=wtc
Attachment #305117 - Flags: review+
Attachment #305117 - Flags: review?(kengert)
Comment on attachment 305117 [details] [diff] [review]
Enable TLS Session Ticket Extension in FF (v3.1)

r+ please add kai to the CC list, though.

bob
Attachment #305117 - Flags: review?(kengert) → review+
Comment on attachment 305117 [details] [diff] [review]
Enable TLS Session Ticket Extension in FF (v3.1)

I don't know if two module peer's reviews are enough for a PSM
patch, or we need at least one module owner's review.
Attachment #305117 - Flags: review?(kengert)
Comment on attachment 305117 [details] [diff] [review]
Enable TLS Session Ticket Extension in FF (v3.1)

r=kengert

You do not need superreview if you have two or more PSM peer/module owner reviews.
Attachment #305117 - Flags: review?(kengert) → review+
Comment on attachment 305117 [details] [diff] [review]
Enable TLS Session Ticket Extension in FF (v3.1)

Requesting approval to check in the patch on the Mozilla trunk
for Firefox 3 Beta 4.

This patch adds a hidden preference for enabling or disabling
the TLS session ticket extension.  The preference is on by
default.  The preference has no effect if the NSS libraries
don't support this TLS extension.  This allows us to work with
different versions of (bundled or system) NSS.
Attachment #305117 - Flags: approval1.9?
Comment on attachment 305117 [details] [diff] [review]
Enable TLS Session Ticket Extension in FF (v3.1)

a1.9+=damons
Attachment #305117 - Flags: approval1.9? → approval1.9+
Comment on attachment 305117 [details] [diff] [review]
Enable TLS Session Ticket Extension in FF (v3.1)

I checked in the patch on the Mozilla trunk for FF 3 Beta 4.

Checking in netwerk/base/public/security-prefs.js;
/cvsroot/mozilla/netwerk/base/public/security-prefs.js,v  <--  security-prefs.js
new revision: 1.20; previous revision: 1.19
done
Checking in security/manager/ssl/src/nsNSSComponent.cpp;
/cvsroot/mozilla/security/manager/ssl/src/nsNSSComponent.cpp,v  <--  nsNSSComponent.cpp
new revision: 1.158; previous revision: 1.157
done
Keywords: relnote
Target Milestone: --- → mozilla1.9beta4
Depends on: 420151
Looks like this landed, and so I'm closing it.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.