Closed Bug 936818 Opened 11 years ago Closed 9 years ago

Adds tests for insecure TLS fallback (bug 839310 and 901718)

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: briansmith, Unassigned)

References

(
URL
)

Details

Attachments

(2 files)

tls-intolerance-integration-tests.patch
16.49 KB, patch
briansmith
: review+
Details | Diff | Splinter Review
add-connection-close-case.patch
2.38 KB, patch
mayhemer
: review+
Details | Diff | Splinter Review 
+++ This bug was initially created as a clone of Bug #839310 +++
+++ This bug was initially created as a clone of Bug #733647 +++
+++ This bug was initially created as a clone of Bug #565047 +++

The tests in bug 839310 were never checked in because the NSS patches that they depend on haven't been r+d yet. I'm filing this bug so we can close bug 839310. The patches are still attached to bug 839310.
Blocks: 839310
No longer blocks: 239381, 901718, 921907, 934663, 733647, 754356
No longer depends on: 839310
Assignee: nobody → brian
Keywords: branch-patch-needed
Rebased the patches on current mozilla-inbound and on top of the new patch for bug 909162.
Attachment #830014 - Flags: review+
Blocks: 901718
Summary: Adds tests for insecure fallback from TLS 1.1 -> TLS 1.0 (bug 839310) → Adds tests for insecure TLS fallback (bug 839310 and 901718)
Comment on attachment 831297 [details] [diff] [review]
add-connection-close-case.patch

Review of attachment 831297 [details] [diff] [review]:
-----------------------------------------------------------------

Studied https://bugzilla.mozilla.org/page.cgi?id=splinter.html&bug=936818&attachment=830014 and http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/tests/unit/head_psm.js#142 few minutes to give r+

r=honzab
Attachment #831297 - Flags: review?(honzab.moz) → review+
Assignee: brian → nobody
I am using Firefox 28.0.(windows and linux)

Here is a SSLv3 site:
https://www.mahaconnect.com

This site works in Firefox for windows.

But it does not work on Firefox for Linux.

It works if I change max tls version to 1.

But in windows it works even if max tls version is 3.

On Linux I am using OpenSSL v1.0.1e (but patched for heartbleed). I am not sure if Firefox uses system OpenSSL.

What could be the reason?

(PS. I filed this bug just 2min back in other ticket without realizing its closed so re-posting here)
Sorry site is:
https://www.mahaconnect.in
site https://www.mahaconnect.in works for me, with firefox aurora (30.a2) on linux (slackware 64). firefox don't use openssl, so no problem there.
I found the reason. Here is what was happening.

I have a squid proxy with sslbump set up. Which mimics certificate. (squid does not work with that site because it tries TLS1.2 and site fails)

If I start firefox with proxy and access that site, it would fail.

Then I set "No proxy". But it fails with "no_cypher_overlap" error. Possibly because Firefox had already "cached" something in memory.

Now I restart Firefox (keeping no proxy option). And then if I access the site, it opened fine.

So it looks like if you access the site with proxy on then it fails, and it fails even after you disable proxy. If you restart Firefox with "no proxy" then site starts working!

Dont know if its a bug or that is how its supposed to happen.
Not really worthwhile after bug 1084025 is fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Depends on: 1084025
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: