Need a way to re-try SSL connections w/ TLS turned off

VERIFIED FIXED in psm2.1

Status

P1
normal
VERIFIED FIXED
17 years ago
2 years ago

People

(Reporter: javi, Assigned: javi)

Tracking

1.0 Branch
psm2.1
x86
Linux

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

17 years ago
This bug is a result of Bug 87902

Basically, the current necko/PSM architecture makes it very hard to re-try a
connection the failed because the server on the other end does not implement TLS
(aka SSL v3.1) correctly.

In the PSM layer, we won't know if we're talking to a TLS intolerant site until
the first write.  At this point the server will have shut down the connection so
we'd like to set an error (ie NS_ERROR_TLS_INTOLERANT_SERVER) and have necko
re-try the connection only it tells us to turn off TLS before establishing the
connection a second time.

That will make it easier to support TLS intolerant servers when talking through
a proxy and will allow us to get rid of the current work around in the PSM layer.

Comment 1

17 years ago
The other option is to use evangelism rather than code to fix the problem. 
We're exploring this option.

Comment 2

17 years ago
we already have code which automatically restarts an HTTP transaction if the
first socket read returns EOF (0 bytes read with PR_SUCCESS), which can happen
even after writing out data to the socket.  so, it might be possible for PSM to
simply force a premature EOF, which would make HTTP retry with a new socket.

so, all we'd need to figure out is how to tell PSM to not use TLS.  suggestions?

is there any way that PSM can keep a list of TLS intolerant servers?
(Assignee)

Comment 3

17 years ago
We'd have to add a method to the nsISSLSocketControl interface disableTLS that
would get called on the second socket that is created.  Also we could do a
PR_SetError with a new error code so you'd know this was a TLS intolerant server.

Seems like that should be enough.

Comment 4

17 years ago
moving milestone.  Javi, if you have a patch, we can try to get this into 0.9.2.
Target Milestone: --- → mozilla1.0

Comment 5

17 years ago
err.0.9.3
(Assignee)

Comment 6

17 years ago
->PSM
Component: Networking → Client Library
Product: Browser → PSM
Target Milestone: mozilla1.0 → 2.1
Version: other → 2.1
(Assignee)

Comment 7

17 years ago
taking bug.
Assignee: neeti → javi
(Assignee)

Comment 8

17 years ago
Setting priority.
Priority: -- → P1
(Assignee)

Comment 9

17 years ago
*** Bug 88381 has been marked as a duplicate of this bug. ***

Comment 10

17 years ago
*** Bug 88142 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 11

17 years ago
Created attachment 43023 [details] [diff] [review]
Patch to let necko re-try the connection.
It looks fine to me, from the necko side of things. darin?

Comment 13

17 years ago
r=ddrinan.
(Assignee)

Updated

17 years ago
QA Contact: benc → junruh

Comment 14

17 years ago
the communication to necko looks good to me.
sr=blizzard
(Assignee)

Comment 16

17 years ago
patch checked in.

TLS is no longer turned off for all proxied SSL connections.
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED

Comment 17

17 years ago
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer

Comment 18

17 years ago
Verified on 8/2 WinNT trunk.
Status: RESOLVED → VERIFIED

Updated

14 years ago
Component: Security: UI → Security: UI
Product: PSM → Core

Updated

10 years ago
Version: psm2.1 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.