Closed Bug 912582 Opened 6 years ago Closed 6 years ago

false start rc4 and rsa accomodations need exact principal matches

Categories

(Core :: Networking: HTTP, defect)

25 Branch
x86_64
Linux
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla26
Tracking Status
firefox24 --- unaffected
firefox25 --- fixed
firefox26 --- fixed

People

(Reporter: mcmanus, Assigned: mcmanus)

References

Details

(Whiteboard: [qa-])

Attachments

(1 file)

the rc4/rsa history mechanisms used for false start currently allow subdomain matches. As false start is a transport optimization the tracking should be on a exact host basis. see 658222 comment 43
Depends on: tls-false-start
Comment on attachment 799651 [details] [diff] [review]
false start rc4 and rsa accomodations need exact principal matches

Review of attachment 799651 [details] [diff] [review]:
-----------------------------------------------------------------

As I understand it, this is correct.
I take it we don't have the test infrastructure to test this yet?
Attachment #799651 - Flags: review?(dkeeler) → review+
(In reply to David Keeler (:keeler) from comment #2)
> Comment on attachment 799651 [details] [diff] [review]
> false start rc4 and rsa accomodations need exact principal matches
> 
> Review of attachment 799651 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> As I understand it, this is correct.
> I take it we don't have the test infrastructure to test this yet?

not meaningfully, no. But I did handtest the positive and negative cases.
https://hg.mozilla.org/mozilla-central/rev/8628391a5a8b
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
Comment on attachment 799651 [details] [diff] [review]
false start rc4 and rsa accomodations need exact principal matches

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 658222
User impact if declined: weakening of a security in depth approach. No known vulnerabilty.
Testing completed (on m-c, etc.): on m-c.. hand tested with facebook and google
Risk to taking this patch (and alternatives if risky): low risk modest change. alternatives would be to just live with it on 25 or pref off in 25 - but its a significant performance feature and imo the patch is low risk.
String or IDL/UUID changes made by this patch: none.
Attachment #799651 - Flags: approval-mozilla-aurora?
Comment on attachment 799651 [details] [diff] [review]
false start rc4 and rsa accomodations need exact principal matches

Low risk fix while we're still on Aurora.

Patrick, please bring QA into the loop if you need help with testing - especially if there's specific areas of possible regression.
Attachment #799651 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
RE comment 7 is there any QA needed here?
Flags: needinfo?(mcmanus)
I don't think anything special is called for here, but if you'd like to verify the bug based on the info here please be my guest.
Flags: needinfo?(mcmanus)
Whiteboard: [qa-]
You need to log in before you can comment on or make changes to this bug.