Open
Bug 883674
Opened 11 years ago
Updated 2 years ago
RFC5746 renegotiation extension warnings are sent to the error console instead of the web console
Categories
(Core :: Security: PSM, defect, P3)
Core
Security: PSM
Tracking
()
NEW
People
(Reporter: briansmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-backlog])
Attachments
(4 files)
7.32 KB,
patch
|
Details | Diff | Splinter Review | |
10.81 KB,
patch
|
Details | Diff | Splinter Review | |
125.49 KB,
patch
|
Details | Diff | Splinter Review | |
2.51 KB,
patch
|
Details | Diff | Splinter Review |
Three related problems: 1. The code that logs RFC5746 renegotiation extension warnings to the console is in PSM's HandshakeCallback (nsNSSCallbacks.cpp). This is not where UI code should go, and in particular, at this point we don't have a reference to the window/tab to send the web console message to. 2. The warning is not localized. 3. The message is sent to the error console instead of the web console.
Comment 1•11 years ago
|
||
FWIW, it's now the Browser's Console it's sent to.
Comment 2•9 years ago
|
||
This adds an option to NSS that controls whether the NSS server sends the RFC 5746 extension. This is necessary for testing (mochitest uses ssltunnel, ssltunnel uses NSS), but like I mentioned in the patch itself, is not desirable for release builds. For convenience, this patch is against the copy of NSS in m-i, but a separate NSS bug should probably be filed for this. In addition, I have not run NSS' test suite against this change.
Comment 3•9 years ago
|
||
The actual changes to send the error message to the web console. Also includes a fix to filter out duplicate "SSL" class messages, to prevent console spam.
Comment 4•9 years ago
|
||
Comment 5•9 years ago
|
||
Comment 6•9 years ago
|
||
^ These are the WIPs I have so far, mainly posted for reference. If anyone can think of a good way to mitigate my concerns for reduced compliance in attachment 8652839 [details] [diff] [review], please let me know. Alternatively, if anyone would like to take over, please feel free.
Comment 7•8 years ago
|
||
RFC 5746 warnings shouldn't be generated at all. If a server does not intend to support renegotiation, sending the signal is not necessary. I don't care that there is a "MUST" in RFC 5746, as long as they correctly reject an attempt to renegotiate, they are safe. What isn't safe is that as a client, we do not require that the server to indicate support for RFC 5746 before we respond to a HelloRequest. I would rather fix that. I would like to see this message removed rather than fixed. I have no opinion on correcting other messages.
Comment 8•8 years ago
|
||
The problem is that we can't tell whether the server supports the insecure renegotiation unless the server supports RFC 5746. See the lengthy discussion in bug 549641 and bug 554594.
Comment 9•8 years ago
|
||
Those two bugs are 6 years old. Lots of servers are disabling renegotiation; few if any don't support 5746. The need for the warning has long passed. Like I said, we have a way to make this safe and I'd rather do that than to spend any time fixing the warning.
Comment 10•8 years ago
|
||
See bug 665859 comment #8 for some stats. A warning in console would help the admins to fix this issue. I think this one is blocking bug 665859.
Comment 11•8 years ago
|
||
Yep, those stats show that this is not a problem that needs a warning. To put this in perspective, I get *tons* of instances of this warning from Akamai servers. Those guys don't renegotiate, and they don't have the flaw.
Component: Security: UI → Security: PSM
Priority: -- → P3
Whiteboard: [psm-backlog]
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•