Need a way to re-try SSL connections w/ TLS turned off



17 years ago
2 years ago


(Reporter: javi, Assigned: javi)


1.0 Branch

Firefox Tracking Flags

(Not tracked)



(1 attachment)



17 years ago
This bug is a result of Bug 87902

Basically, the current necko/PSM architecture makes it very hard to re-try a
connection the failed because the server on the other end does not implement TLS
(aka SSL v3.1) correctly.

In the PSM layer, we won't know if we're talking to a TLS intolerant site until
the first write.  At this point the server will have shut down the connection so
we'd like to set an error (ie NS_ERROR_TLS_INTOLERANT_SERVER) and have necko
re-try the connection only it tells us to turn off TLS before establishing the
connection a second time.

That will make it easier to support TLS intolerant servers when talking through
a proxy and will allow us to get rid of the current work around in the PSM layer.

Comment 1

17 years ago
The other option is to use evangelism rather than code to fix the problem. 
We're exploring this option.

Comment 2

17 years ago
we already have code which automatically restarts an HTTP transaction if the
first socket read returns EOF (0 bytes read with PR_SUCCESS), which can happen
even after writing out data to the socket.  so, it might be possible for PSM to
simply force a premature EOF, which would make HTTP retry with a new socket.

so, all we'd need to figure out is how to tell PSM to not use TLS.  suggestions?

is there any way that PSM can keep a list of TLS intolerant servers?

Comment 3

17 years ago
We'd have to add a method to the nsISSLSocketControl interface disableTLS that
would get called on the second socket that is created.  Also we could do a
PR_SetError with a new error code so you'd know this was a TLS intolerant server.

Seems like that should be enough.

Comment 4

17 years ago
moving milestone.  Javi, if you have a patch, we can try to get this into 0.9.2.
Target Milestone: --- → mozilla1.0

Comment 5

17 years ago

Comment 6

17 years ago
Component: Networking → Client Library
Product: Browser → PSM
Target Milestone: mozilla1.0 → 2.1
Version: other → 2.1

Comment 7

17 years ago
taking bug.
Assignee: neeti → javi

Comment 8

17 years ago
Setting priority.
Priority: -- → P1

Comment 9

17 years ago
*** Bug 88381 has been marked as a duplicate of this bug. ***

Comment 10

17 years ago
*** Bug 88142 has been marked as a duplicate of this bug. ***

Comment 11

17 years ago
Created attachment 43023 [details] [diff] [review]
Patch to let necko re-try the connection.
It looks fine to me, from the necko side of things. darin?

Comment 13

17 years ago


17 years ago
QA Contact: benc → junruh

Comment 14

17 years ago
the communication to necko looks good to me.

Comment 16

17 years ago
patch checked in.

TLS is no longer turned off for all proxied SSL connections.
Last Resolved: 17 years ago
Resolution: --- → FIXED

Comment 17

17 years ago
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer

Comment 18

17 years ago
Verified on 8/2 WinNT trunk.


14 years ago
Component: Security: UI → Security: UI
Product: PSM → Core


10 years ago
Version: psm2.1 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.