Closed
Bug 912582
Opened 11 years ago
Closed 11 years ago
false start rc4 and rsa accomodations need exact principal matches
Categories
(Core :: Networking: HTTP, defect)
Tracking
()
RESOLVED
FIXED
mozilla26
Tracking | Status | |
---|---|---|
firefox24 | --- | unaffected |
firefox25 | --- | fixed |
firefox26 | --- | fixed |
People
(Reporter: mcmanus, Assigned: mcmanus)
References
Details
(Whiteboard: [qa-])
Attachments
(1 file)
1.82 KB,
patch
|
keeler
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
the rc4/rsa history mechanisms used for false start currently allow subdomain matches. As false start is a transport optimization the tracking should be on a exact host basis. see 658222 comment 43
Assignee | ||
Updated•11 years ago
|
Depends on: tls-false-start
Assignee | ||
Comment 1•11 years ago
|
||
Attachment #799651 -
Flags: review?(dkeeler)
Comment 2•11 years ago
|
||
Comment on attachment 799651 [details] [diff] [review]
false start rc4 and rsa accomodations need exact principal matches
Review of attachment 799651 [details] [diff] [review]:
-----------------------------------------------------------------
As I understand it, this is correct.
I take it we don't have the test infrastructure to test this yet?
Attachment #799651 -
Flags: review?(dkeeler) → review+
Assignee | ||
Comment 3•11 years ago
|
||
(In reply to David Keeler (:keeler) from comment #2)
> Comment on attachment 799651 [details] [diff] [review]
> false start rc4 and rsa accomodations need exact principal matches
>
> Review of attachment 799651 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> As I understand it, this is correct.
> I take it we don't have the test infrastructure to test this yet?
not meaningfully, no. But I did handtest the positive and negative cases.
Assignee | ||
Comment 4•11 years ago
|
||
Comment 5•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
Assignee | ||
Updated•11 years ago
|
Assignee | ||
Comment 6•11 years ago
|
||
Comment on attachment 799651 [details] [diff] [review]
false start rc4 and rsa accomodations need exact principal matches
[Approval Request Comment]
Bug caused by (feature/regressing bug #): 658222
User impact if declined: weakening of a security in depth approach. No known vulnerabilty.
Testing completed (on m-c, etc.): on m-c.. hand tested with facebook and google
Risk to taking this patch (and alternatives if risky): low risk modest change. alternatives would be to just live with it on 25 or pref off in 25 - but its a significant performance feature and imo the patch is low risk.
String or IDL/UUID changes made by this patch: none.
Attachment #799651 -
Flags: approval-mozilla-aurora?
Comment 7•11 years ago
|
||
Comment on attachment 799651 [details] [diff] [review]
false start rc4 and rsa accomodations need exact principal matches
Low risk fix while we're still on Aurora.
Patrick, please bring QA into the loop if you need help with testing - especially if there's specific areas of possible regression.
Attachment #799651 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 8•11 years ago
|
||
Assignee | ||
Comment 10•11 years ago
|
||
I don't think anything special is called for here, but if you'd like to verify the bug based on the info here please be my guest.
Flags: needinfo?(mcmanus)
You need to log in
before you can comment on or make changes to this bug.
Description
•