Closed
Bug 672836
Opened 13 years ago
Closed 11 years ago
PSM does insecure TLS -> SSL 3.0 fallback in too many situations
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: briansmith, Unassigned)
References
Details
+++ This bug was initially created as a clone of Bug #672749 +++ User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110420 (CK-bz-1.2) Firefox/3.6.17 Build ID: 20110420140830 Steps to reproduce: Connect to a HTTPS site through a Bluecoat ProxySG device. Actual results: The TLSv1 Client Hello lists cipher suite TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00FF) first. This causes the proxy to respond with an Alert: Warning, Unrecognized Name (0x0170). This in turn causes Firefox to restart the request with a SSLv3 Client Hello. Expected results: The insecure SSL 3.0 fallback should not be triggered. The SSL 3.0 fallback should only be triggered due to timeouts or other specific conditions that are known to be due to TLS intolerance, to minimize version rollback attacks.
Reporter | ||
Comment 2•11 years ago
|
||
The problem of TLS_EMPTY_RENEGOTIATION_INFO_SCSV causing TLS intolerance fallback should have been resolved by bug 549042 which landed in mozilla-central in bug 898431. Other cases are being handled in bug 689814 and the bugs it depends on. Resolving WORKSFORME.
You need to log in
before you can comment on or make changes to this bug.
Description
•