aus.mozilla.org does not support TLS secure renegotiation extension (RFC5746)

RESOLVED DUPLICATE of bug 555952

Status

RESOLVED DUPLICATE of bug 555952
8 years ago
3 years ago

People

(Reporter: briansmith, Unassigned)

Tracking

Details

(URL)

Attachments

(1 attachment)

Created attachment 531705 [details]
bad xml document

+++ This bug was initially created as a clone of Bug #623155 +++

See https://aus.mozilla.org/update/firefox/en-US.rdf, the current contents of which are attached. When accessing this resource, there is an XML parsing error. The site identity block is grey, with no favicon, and Larry says "This website does not supply identity information" and "Your connection to this website is only partially encrypted, and does not prevent eavesdropping."
The site identity block is working correctly. I have security.ssl.treat_unsafe_negotiation_as_broken=true, and aus.mozilla.org does not have the TLS secure renegotiation extension enabled.
Assignee: nobody → infrasec
Group: core-security
Component: Security: UI → Infrastructure Security: Server Security
OS: Linux → All
Product: Core → mozilla.org
QA Contact: ui → clyon
Hardware: x86 → All
Summary: XML parsing error for document over HTTPS causes identity block to incorrectly indicate mixed content and untrusted publisher → aus.mozilla.org does not support TLS secure renegotiation extension (RFC5746)
Version: Trunk → other
Is this an issue? aus3.m.o is what fx4 uses and aus2 is what fx3 uses. Not sure if there are any clients we have which have support for rfc5746 that actually use aus.m.o. 

Granted, looking at aus3, looks like there are other issues besides rfc5746.
Chris, I don't think it is a high priority. I just morphed the bug from what I originally reported to make the real cause clear.
This was cloned from a bug that was nominated tracking-firefox5, but it's filed in a component that doesn't make the flag visible for us to unset. I'm gonna tag the whiteboard saying as much, since I don't think firefox5 drivers should be triaging this
Whiteboard: [ignore in tracking-firefox5 triage, flag fu]
Component: Infrastructure Security: Server Security → General
Product: mozilla.org → Firefox
Version: other → unspecified
tracking-firefox5: ? → ---
Whiteboard: [ignore in tracking-firefox5 triage, flag fu]
Component: General → Infrastructure Security: Server Security
Product: Firefox → mozilla.org
Version: unspecified → other
QA Contact: chris → mcoates
No action for >5 months -- is this on the radar to be fixed anytime soon?

From the wiki page about this error message[1], it sounds like (as of > 1.5 years ago) we're encouraging the rest of the web to upgrade their servers to address this, so it's a little embarrassing that we ourselves have high-value servers that still aren't upgraded.

[1] https://wiki.mozilla.org/Security:Renegotiation
Per comment 2 its unclear if this site is even in use.
Copying in Corey and Shyam, do we have an upgrade we can apply here?
(In reply to Michael Coates [:mcoates] from comment #6)
> Per comment 2 its unclear if this site is even in use.

It apparently is in use for some people, per this post on mozilla.dev.apps.firefox:
http://groups.google.com/group/mozilla.dev.apps.firefox/msg/c4effa5522a239da
aus.m.o was superceded by aus2.m.o and then aus3.m.o, but Firefox still reports the message in the Error Console for aus3.m.o, which all versions older than about Fx2 are currently using. Luckily Brian is looking into this over in bug 555952.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 555952
Component: Operations Security (OpSec): General → General
Product: mozilla.org → Enterprise Information Security
You need to log in before you can comment on or make changes to this bug.