Limit TLS intolerance fallback to sites that are not HSTS

RESOLVED INCOMPLETE

Status

()

defect
RESOLVED INCOMPLETE
6 years ago
4 years ago

People

(Reporter: briansmith, Unassigned)

Tracking

Trunk
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

HSTS should stop us from doing TLS intolerance fallback, since the purpose of HSTS is to make TLS-related errors fatal.
We may need to continue to allow TLS 1.2 -> TLS 1.1 -> TLS 1.0 fallback in response to connection resets in order to work around some intermediaries that reset TLS 1.2 and TLS 1.1 connections, based on my understanding of GOogle's findings. However, we should at least prevent the fallback to SSL 3.0 for HSTS sites.

Adding dependency on bug 775370 since that will make it easier for us to get the HSTS state during the TLS connection. CC'ing keeler in case he wants to do this after bug 775370 is done.
Depends on: 775370

Comment 2

5 years ago
Duplicate of bug 643894?

Comment 3

5 years ago
Given Bug 643894 is specifically about disabling TLS -> SSL fallback (and not inter-TLS), I marked this as a dependancy. But feel free to dupe.
Depends on: 643894
Duplicate of this bug: 643894
Not necessary after bug 1084025 is fixed.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Depends on: 1084025
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.