does not support TLS secure renegotiation extension (RFC5746)



8 years ago
3 years ago


(Reporter: briansmith, Unassigned)





(1 attachment)

Created attachment 531705 [details]
bad xml document

+++ This bug was initially created as a clone of Bug #623155 +++

See, the current contents of which are attached. When accessing this resource, there is an XML parsing error. The site identity block is grey, with no favicon, and Larry says "This website does not supply identity information" and "Your connection to this website is only partially encrypted, and does not prevent eavesdropping."
The site identity block is working correctly. I have security.ssl.treat_unsafe_negotiation_as_broken=true, and does not have the TLS secure renegotiation extension enabled.
Assignee: nobody → infrasec
Group: core-security
Component: Security: UI → Infrastructure Security: Server Security
OS: Linux → All
Product: Core →
QA Contact: ui → clyon
Hardware: x86 → All
Summary: XML parsing error for document over HTTPS causes identity block to incorrectly indicate mixed content and untrusted publisher → does not support TLS secure renegotiation extension (RFC5746)
Version: Trunk → other
Is this an issue? aus3.m.o is what fx4 uses and aus2 is what fx3 uses. Not sure if there are any clients we have which have support for rfc5746 that actually use aus.m.o. 

Granted, looking at aus3, looks like there are other issues besides rfc5746.
Chris, I don't think it is a high priority. I just morphed the bug from what I originally reported to make the real cause clear.
This was cloned from a bug that was nominated tracking-firefox5, but it's filed in a component that doesn't make the flag visible for us to unset. I'm gonna tag the whiteboard saying as much, since I don't think firefox5 drivers should be triaging this
Whiteboard: [ignore in tracking-firefox5 triage, flag fu]
Component: Infrastructure Security: Server Security → General
Product: → Firefox
Version: other → unspecified
tracking-firefox5: ? → ---
Whiteboard: [ignore in tracking-firefox5 triage, flag fu]
Component: General → Infrastructure Security: Server Security
Product: Firefox →
Version: unspecified → other
QA Contact: chris → mcoates
No action for >5 months -- is this on the radar to be fixed anytime soon?

From the wiki page about this error message[1], it sounds like (as of > 1.5 years ago) we're encouraging the rest of the web to upgrade their servers to address this, so it's a little embarrassing that we ourselves have high-value servers that still aren't upgraded.

Per comment 2 its unclear if this site is even in use.
Copying in Corey and Shyam, do we have an upgrade we can apply here?
(In reply to Michael Coates [:mcoates] from comment #6)
> Per comment 2 its unclear if this site is even in use.

It apparently is in use for some people, per this post on
aus.m.o was superceded by aus2.m.o and then aus3.m.o, but Firefox still reports the message in the Error Console for aus3.m.o, which all versions older than about Fx2 are currently using. Luckily Brian is looking into this over in bug 555952.
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 555952
Component: Operations Security (OpSec): General → General
Product: → Enterprise Information Security
You need to log in before you can comment on or make changes to this bug.