Closed
Bug 549042
Opened 14 years ago
Closed 11 years ago
Patch to send empty renegotiation info extension instead of SCSV in initial handshakes
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.15.4
People
(Reporter: wtc, Assigned: wtc)
References
Details
Attachments
(1 file, 2 obsolete files)
956 bytes,
patch
|
wtc
:
checked-in+
|
Details | Diff | Splinter Review |
The attached patch causes NSS SSL clients to send empty renegotiation info extensions instead of SCSV in initial handshakes unless TLS is disabled. This allows implementers of server-side secure renegotiation to use the patched NSS as a test client that sends empty RI extensions (as opposed to SCSV, or both SCSV and empty RI) in initial handshakes.
Assignee | ||
Comment 1•14 years ago
|
||
The previous patch has a minor bug: it uses the wrong SSL version in the session resumption case.
Attachment #429281 -
Attachment is obsolete: true
Updated•13 years ago
|
Target Milestone: --- → 3.13
Comment 2•13 years ago
|
||
We (NSS team) decided to make this change, targeted for 3.13, to be consistent with Windows SChannel and Chrome.
Assignee | ||
Updated•12 years ago
|
Target Milestone: 3.13 → Future
Assignee | ||
Updated•12 years ago
|
Target Milestone: Future → ---
Comment 3•11 years ago
|
||
Wan-Teh, do you know the current state of this bug? The patch says "DO NOT CHECK IN" and comment 2 says we agreed to make this change to NSS to be consistent with other implementations. Do we still need to actually make that change?
Comment 4•11 years ago
|
||
Comment on attachment 429282 [details] [diff] [review] Patch v2 (DO NOT CHECK IN) Review of attachment 429282 [details] [diff] [review]: ----------------------------------------------------------------- I see that this seems to have been used in Chromium for quite a while without problems. The SCSV is very slightly smaller (two bytes) than the empty RI extension (4 bytes), so in that sense the SCSV is slightly better. However, when only the SCSV is sent, servers that conform to RFC 5746 break the more general rule that says that a server must not send an extension unless the client sent that extension. This indicates to me that there could be interoperability issues. Did Chromium experience any interoperability issues before you started using this patch? In general, it is good for Firefox to be consistent with IE and Chromium. That is another argument in favor of taking this patch in upstream NSS. Since we already agreed to do so, I think we should check in the patch now.
Attachment #429282 -
Flags: review+
Comment 5•11 years ago
|
||
Wan-Teh, do you agree with checking in this patch for the NSS 3.15.3 release? Are either of you interested in the potential space savings of doing the opposite, and reverting this patch in Chromium? I think ultimately we're better off being consistent, though I think it is silly to waste two bytes.
Flags: needinfo?(wtc)
Target Milestone: --- → 3.15.3
Assignee | ||
Comment 6•11 years ago
|
||
Brian: thank you for the review. I am definitely for checking in this patch. For some reason I didn't get a "review granted" email notification (perhaps because I didn't request a review). I updated the patch to the current NSS trunk and checked it in: https://hg.mozilla.org/projects/nss/rev/34d14a78ed17
Attachment #429282 -
Attachment is obsolete: true
Attachment #824388 -
Flags: checked-in?
Flags: needinfo?(wtc)
Assignee | ||
Updated•11 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Priority: -- → P2
Resolution: --- → FIXED
Assignee | ||
Updated•11 years ago
|
Attachment #824388 -
Flags: checked-in? → checked-in+
You need to log in
before you can comment on or make changes to this bug.
Description
•