expose support for enableRequireSafeNegotiation after NSS has provided the functionality. see Bug 527240 which provided support to enable/disable renegotiation in JSS 4.3.1
Glen, I suggest you wait on this until 3.12.6 is closer to release. There's a chance that the IETF TLS working group will standardize on something VERY different than what we've been working on for the last 6 weeks, and it might have API implications.
Thanks nelson. I am waiting. my main goal was to close bug 527240 since JSS 4.3.1 (and NSS 3.12.5) RTM'd, then I opened this new bug to address the fact that JSS will likely need to expose more functionality related to CVE-2009-3555 once NSS provides the support.
Created attachment 429290 [details] [diff] [review] expose SSL_REQUIRE_SAFE_NEGOTIATION this patch exposes to JSS the NSS configuration option SSL_REQUIRE_SAFE_NEGOTIATION and update the options for SSL_ENABLE_RENEGOTIATION by adding SSL_RENEGOTIATE_TRANSITIONAL and updating the comments regarding SSL_RENEGOTIATE_REQUIRES_XTN. This patch also updates JSS versions of SSLerrs.h. The basic testing performed was simply to check if the options are set correctly.
Attachment #429290 - Flags: review?(wtc)
Comment on attachment 429290 [details] [diff] [review] expose SSL_REQUIRE_SAFE_NEGOTIATION r=wtc. In ssl/SSLServerSocket.java: I suggest two comment changes for this file. Please make the same changes to ssl/SSLSocket.java (there are two occurrences of each change in ssl/SSLSocket.java). > * SSLSocket.SSL_RENEGOTIATE_UNRESTRICTED - Renegotiate without >- * restriction, whether or not the peer's client hello bears the >- * renegotiation info extension (like we always did in the past). >+ * restriction, whether or not the peer's client hello bears the TLS >+ * renegotiation info extension. Vulnerable, as in the past. Change "client hello" to "client hello or server hello" or just "hello". (The comment for SSL_RENEGOTIATE_REQUIRES_XTN below uses just "hello".) I know this comment comes from NSS. >+ * SSLSocket.SSL_RENEGOTIATE_TRANSITIONAL - Disallow unsafe >+ * renegotiation in server sockets only, but allow clients >+ * to continue to renegotiate with vulnerable servers. >+ * This value should only be used during the transition period >+ * when few servers have been upgraded. > * >- * SSLSocket.SSL_RENEGOTIATE_REQUIRES_XTN - NOT YET IMPLEMENTED > */ Nit: delete the blank comment line at the end.
Attachment #429290 - Flags: review?(wtc) → review+
Thanks, Glen, for the patch. Please update the bug when you commit the changes.
Thanks for the review wan-teh. Checking in SSLServerSocket.java; /cvsroot/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java,v <-- SSLServerSocket.java new revision: 1.27; previous revision: 1.26 done Checking in SSLSocket.java; /cvsroot/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java,v <-- SSLSocket.java new revision: 1.32; previous revision: 1.31 done Checking in SocketBase.java; /cvsroot/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java,v <-- SocketBase.java new revision: 1.19; previous revision: 1.18 done Checking in common.c; /cvsroot/mozilla/security/jss/org/mozilla/jss/ssl/common.c,v <-- common.c new revision: 1.32; previous revision: 1.31 done
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Priority: -- → P1
Resolution: --- → FIXED
Created attachment 429595 [details] [diff] [review] patch as checked in
Attachment #429290 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.