656408 - aus.mozilla.org does not support TLS secure renegotiation extension (RFC5746)

Status: RESOLVED DUPLICATE of bug 555952

Description

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

Created attachment 531705 [details]
bad xml document

+++ This bug was initially created as a clone of Bug #623155 +++

See https://aus.mozilla.org/update/firefox/en-US.rdf, the current contents of which are attached. When accessing this resource, there is an XML parsing error. The site identity block is grey, with no favicon, and Larry says "This website does not supply identity information" and "Your connection to this website is only partially encrypted, and does not prevent eavesdropping."

Comment 1

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

The site identity block is working correctly. I have security.ssl.treat_unsafe_negotiation_as_broken=true, and aus.mozilla.org does not have the TLS secure renegotiation extension enabled.

Comment 2

[Chris Lyon [:clyon]]

Is this an issue? aus3.m.o is what fx4 uses and aus2 is what fx3 uses. Not sure if there are any clients we have which have support for rfc5746 that actually use aus.m.o. 

Granted, looking at aus3, looks like there are other issues besides rfc5746.

Comment 3

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

Chris, I don't think it is a high priority. I just morphed the bug from what I originally reported to make the real cause clear.

Comment 4

[Johnathan Nightingale [:johnath]]

This was cloned from a bug that was nominated tracking-firefox5, but it's filed in a component that doesn't make the flag visible for us to unset. I'm gonna tag the whiteboard saying as much, since I don't think firefox5 drivers should be triaging this

Comment 5

[Daniel Holbert [:dholbert]]

No action for >5 months -- is this on the radar to be fixed anytime soon?

From the wiki page about this error message[1], it sounds like (as of > 1.5 years ago) we're encouraging the rest of the web to upgrade their servers to address this, so it's a little embarrassing that we ourselves have high-value servers that still aren't upgraded.

[1] https://wiki.mozilla.org/Security:Renegotiation

Comment 6

[Michael Coates [:mcoates] (acct no longer active)]

Per comment 2 its unclear if this site is even in use.

Comment 7

[Michael Coates [:mcoates] (acct no longer active)]

Copying in Corey and Shyam, do we have an upgrade we can apply here?

Comment 8

[Daniel Holbert [:dholbert]]

(In reply to Michael Coates [:mcoates] from comment #6)
> Per comment 2 its unclear if this site is even in use.

It apparently is in use for some people, per this post on mozilla.dev.apps.firefox:
http://groups.google.com/group/mozilla.dev.apps.firefox/msg/c4effa5522a239da

Comment 9

[Nick Thomas [:nthomas] (UTC+13)]

aus.m.o was superceded by aus2.m.o and then aus3.m.o, but Firefox still reports the message in the Error Console for aus3.m.o, which all versions older than about Fx2 are currently using. Luckily Brian is looking into this over in bug 555952.