Closed Bug 88244 Opened 23 years ago Closed 23 years ago

Need a way to re-try SSL connections w/ TLS turned off


(Core Graveyard :: Security: UI, defect, P1)

1.0 Branch


(Not tracked)



(Reporter: javi, Assigned: javi)




(1 file)

This bug is a result of Bug 87902

Basically, the current necko/PSM architecture makes it very hard to re-try a
connection the failed because the server on the other end does not implement TLS
(aka SSL v3.1) correctly.

In the PSM layer, we won't know if we're talking to a TLS intolerant site until
the first write.  At this point the server will have shut down the connection so
we'd like to set an error (ie NS_ERROR_TLS_INTOLERANT_SERVER) and have necko
re-try the connection only it tells us to turn off TLS before establishing the
connection a second time.

That will make it easier to support TLS intolerant servers when talking through
a proxy and will allow us to get rid of the current work around in the PSM layer.
The other option is to use evangelism rather than code to fix the problem. 
We're exploring this option.

we already have code which automatically restarts an HTTP transaction if the
first socket read returns EOF (0 bytes read with PR_SUCCESS), which can happen
even after writing out data to the socket.  so, it might be possible for PSM to
simply force a premature EOF, which would make HTTP retry with a new socket.

so, all we'd need to figure out is how to tell PSM to not use TLS.  suggestions?

is there any way that PSM can keep a list of TLS intolerant servers?
We'd have to add a method to the nsISSLSocketControl interface disableTLS that
would get called on the second socket that is created.  Also we could do a
PR_SetError with a new error code so you'd know this was a TLS intolerant server.

Seems like that should be enough.
moving milestone.  Javi, if you have a patch, we can try to get this into 0.9.2.
Target Milestone: --- → mozilla1.0
Component: Networking → Client Library
Product: Browser → PSM
Target Milestone: mozilla1.0 → 2.1
Version: other → 2.1
taking bug.
Assignee: neeti → javi
Setting priority.
Priority: -- → P1
*** Bug 88381 has been marked as a duplicate of this bug. ***
*** Bug 88142 has been marked as a duplicate of this bug. ***
It looks fine to me, from the necko side of things. darin?
QA Contact: benc → junruh
the communication to necko looks good to me.
patch checked in.

TLS is no longer turned off for all proxied SSL connections.
Closed: 23 years ago
Resolution: --- → FIXED
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer
Verified on 8/2 WinNT trunk.
Product: PSM → Core
Version: psm2.1 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.