This bug is a result of Bug 87902 Basically, the current necko/PSM architecture makes it very hard to re-try a connection the failed because the server on the other end does not implement TLS (aka SSL v3.1) correctly. In the PSM layer, we won't know if we're talking to a TLS intolerant site until the first write. At this point the server will have shut down the connection so we'd like to set an error (ie NS_ERROR_TLS_INTOLERANT_SERVER) and have necko re-try the connection only it tells us to turn off TLS before establishing the connection a second time. That will make it easier to support TLS intolerant servers when talking through a proxy and will allow us to get rid of the current work around in the PSM layer.
The other option is to use evangelism rather than code to fix the problem. We're exploring this option.
we already have code which automatically restarts an HTTP transaction if the first socket read returns EOF (0 bytes read with PR_SUCCESS), which can happen even after writing out data to the socket. so, it might be possible for PSM to simply force a premature EOF, which would make HTTP retry with a new socket. so, all we'd need to figure out is how to tell PSM to not use TLS. suggestions? is there any way that PSM can keep a list of TLS intolerant servers?
We'd have to add a method to the nsISSLSocketControl interface disableTLS that would get called on the second socket that is created. Also we could do a PR_SetError with a new error code so you'd know this was a TLS intolerant server. Seems like that should be enough.
moving milestone. Javi, if you have a patch, we can try to get this into 0.9.2.
Target Milestone: --- → mozilla1.0
Component: Networking → Client Library
Product: Browser → PSM
Target Milestone: mozilla1.0 → 2.1
Version: other → 2.1
Assignee: neeti → javi
Priority: -- → P1
*** Bug 88381 has been marked as a duplicate of this bug. ***
*** Bug 88142 has been marked as a duplicate of this bug. ***
It looks fine to me, from the necko side of things. darin?
the communication to necko looks good to me.
patch checked in. TLS is no longer turned off for all proxied SSL connections.
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer
Verified on 8/2 WinNT trunk.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.