Don't retry after TLS-intolerance if TLS is the only enabled protocol

RESOLVED FIXED in mozilla16

Status

()

Core
Security: PSM
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: kaie, Assigned: kaie)

Tracking

Trunk
mozilla16
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Assignee)

Description

5 years ago
If a user disables SSL 3 (only TLS enabled),
and the user connects to a site that supports SSL 3, only,
as of today, the following will happen:
- NSS reports error code SSL_ERROR_NO_CYPHER_OVERLAP
- PSM maps this into category "TLS intolerance, can retry"
  (see function: isTLSIntoleranceError)
- we will retry
- after a couple of retries, Necko gives up and reports "connection reset"
  (which isn't a helpful message)

This bug suggests that a more helpful error is shown to the user.

Actually, I believe our code is already intended to handle this situation,
but contains a bug.

In PSM's "checkHandshake", we call "rememberPossibleTLSProblemSite", 
and use it's return value as boolean flag "wantRetry".

As of today, the function returns
  "true if TLS was enabled"

I think the function should return true, only if any older protocol is enabled,
and it therefore makes sense to retry.

Actually, the function already has such a smartness - only if an older protocol is enabled will it actually add the problematic site to an internal list.






See also https://bugzilla.redhat.com/show_bug.cgi?id=808136
(Assignee)

Comment 1

5 years ago
Created attachment 630765 [details] [diff] [review]
Patch v1 for ESR10 branch
Assignee: nobody → kaie
(Assignee)

Comment 2

5 years ago
Created attachment 630774 [details] [diff] [review]
Patch v1 (mozilla-central)
Attachment #630774 - Flags: review?(honzab.moz)
Comment on attachment 630774 [details] [diff] [review]
Patch v1 (mozilla-central)

Review of attachment 630774 [details] [diff] [review]:
-----------------------------------------------------------------

r=honzab
Attachment #630774 - Flags: review?(honzab.moz) → review+
(Assignee)

Comment 4

5 years ago
Comment on attachment 630774 [details] [diff] [review]
Patch v1 (mozilla-central)

https://hg.mozilla.org/integration/mozilla-inbound/rev/1b041cc173ed
https://hg.mozilla.org/mozilla-central/rev/1b041cc173ed
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla16
You need to log in before you can comment on or make changes to this bug.