Closed
Bug 530575
Opened 15 years ago
Closed 15 years ago
(CVE-2009-3555) expose TLS enableRequireSafeNegotiation
Categories
(JSS Graveyard :: Library, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
4.3.2
People
(Reporter: glenbeasley, Assigned: glenbeasley)
References
Details
Attachments
(1 file, 1 obsolete file)
10.85 KB,
patch
|
Details | Diff | Splinter Review |
expose support for enableRequireSafeNegotiation after NSS has provided the
functionality.
see Bug 527240 which provided support to enable/disable renegotiation in JSS 4.3.1
Assignee | ||
Updated•15 years ago
|
Status: NEW → ASSIGNED
Depends on: CVE-2009-3555
Comment 1•15 years ago
|
||
Glen, I suggest you wait on this until 3.12.6 is closer to release.
There's a chance that the IETF TLS working group will standardize on something
VERY different than what we've been working on for the last 6 weeks, and it
might have API implications.
Assignee | ||
Comment 2•15 years ago
|
||
Thanks nelson. I am waiting. my main goal was to close bug 527240 since JSS 4.3.1 (and NSS 3.12.5) RTM'd, then I opened this new bug to address the fact that JSS will likely need to expose more functionality related to CVE-2009-3555 once NSS provides the support.
Assignee | ||
Comment 3•15 years ago
|
||
this patch exposes to JSS the NSS configuration option SSL_REQUIRE_SAFE_NEGOTIATION and update the options for SSL_ENABLE_RENEGOTIATION by adding SSL_RENEGOTIATE_TRANSITIONAL and updating the comments regarding SSL_RENEGOTIATE_REQUIRES_XTN.
This patch also updates JSS versions of SSLerrs.h.
The basic testing performed was simply to check if the options are set
correctly.
Attachment #429290 -
Flags: review?(wtc)
Assignee | ||
Updated•15 years ago
|
Attachment #429290 -
Attachment is patch: true
Attachment #429290 -
Attachment mime type: application/octet-stream → text/plain
Comment 4•15 years ago
|
||
Comment on attachment 429290 [details] [diff] [review]
expose SSL_REQUIRE_SAFE_NEGOTIATION
r=wtc.
In ssl/SSLServerSocket.java: I suggest two comment changes for this file.
Please make the same changes to ssl/SSLSocket.java (there are two
occurrences of each change in ssl/SSLSocket.java).
> * SSLSocket.SSL_RENEGOTIATE_UNRESTRICTED - Renegotiate without
>- * restriction, whether or not the peer's client hello bears the
>- * renegotiation info extension (like we always did in the past).
>+ * restriction, whether or not the peer's client hello bears the TLS
>+ * renegotiation info extension. Vulnerable, as in the past.
Change "client hello" to "client hello or server hello" or just "hello".
(The comment for SSL_RENEGOTIATE_REQUIRES_XTN below uses just "hello".)
I know this comment comes from NSS.
>+ * SSLSocket.SSL_RENEGOTIATE_TRANSITIONAL - Disallow unsafe
>+ * renegotiation in server sockets only, but allow clients
>+ * to continue to renegotiate with vulnerable servers.
>+ * This value should only be used during the transition period
>+ * when few servers have been upgraded.
> *
>- * SSLSocket.SSL_RENEGOTIATE_REQUIRES_XTN - NOT YET IMPLEMENTED
> */
Nit: delete the blank comment line at the end.
Attachment #429290 -
Flags: review?(wtc) → review+
Comment 5•15 years ago
|
||
Thanks, Glen, for the patch. Please update the bug when you commit the changes.
Updated•15 years ago
|
Version: 4.3.1 → 4.3.2
Updated•15 years ago
|
Target Milestone: --- → 4.3.2
Version: 4.3.2 → 4.3.1
Assignee | ||
Comment 6•15 years ago
|
||
Thanks for the review wan-teh.
Checking in SSLServerSocket.java;
/cvsroot/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java,v <-- SSLServerSocket.java
new revision: 1.27; previous revision: 1.26
done
Checking in SSLSocket.java;
/cvsroot/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java,v <-- SSLSocket.java
new revision: 1.32; previous revision: 1.31
done
Checking in SocketBase.java;
/cvsroot/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java,v <-- SocketBase.java
new revision: 1.19; previous revision: 1.18
done
Checking in common.c;
/cvsroot/mozilla/security/jss/org/mozilla/jss/ssl/common.c,v <-- common.c
new revision: 1.32; previous revision: 1.31
done
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Priority: -- → P1
Resolution: --- → FIXED
Assignee | ||
Comment 7•15 years ago
|
||
Attachment #429290 -
Attachment is obsolete: true
You need to log in
before you can comment on or make changes to this bug.
Description
•