Adds tests for insecure TLS fallback (bug 839310 and 901718)




6 years ago
4 years ago


(Reporter: briansmith, Unassigned)


Dependency tree / graph

Firefox Tracking Flags

(Not tracked)




(2 attachments)

+++ This bug was initially created as a clone of Bug #839310 +++
+++ This bug was initially created as a clone of Bug #733647 +++
+++ This bug was initially created as a clone of Bug #565047 +++

The tests in bug 839310 were never checked in because the NSS patches that they depend on haven't been r+d yet. I'm filing this bug so we can close bug 839310. The patches are still attached to bug 839310.
Blocks: 839310
No longer blocks: 239381, 901718, 921907, 934663, 733647, 754356
No longer depends on: 839310
Assignee: nobody → brian
Rebased the patches on current mozilla-inbound and on top of the new patch for bug 909162.
Attachment #830014 - Flags: review+
Blocks: 901718
Summary: Adds tests for insecure fallback from TLS 1.1 -> TLS 1.0 (bug 839310) → Adds tests for insecure TLS fallback (bug 839310 and 901718)
Comment on attachment 831297 [details] [diff] [review]

Review of attachment 831297 [details] [diff] [review]:

Studied and few minutes to give r+

Attachment #831297 - Flags: review?(honzab.moz) → review+
Assignee: brian → nobody

Comment 4

5 years ago
I am using Firefox 28.0.(windows and linux)

Here is a SSLv3 site:

This site works in Firefox for windows.

But it does not work on Firefox for Linux.

It works if I change max tls version to 1.

But in windows it works even if max tls version is 3.

On Linux I am using OpenSSL v1.0.1e (but patched for heartbleed). I am not sure if Firefox uses system OpenSSL.

What could be the reason?

(PS. I filed this bug just 2min back in other ticket without realizing its closed so re-posting here)

Comment 5

5 years ago
Sorry site is:

Comment 6

5 years ago
site works for me, with firefox aurora (30.a2) on linux (slackware 64). firefox don't use openssl, so no problem there.

Comment 7

5 years ago
I found the reason. Here is what was happening.

I have a squid proxy with sslbump set up. Which mimics certificate. (squid does not work with that site because it tries TLS1.2 and site fails)

If I start firefox with proxy and access that site, it would fail.

Then I set "No proxy". But it fails with "no_cypher_overlap" error. Possibly because Firefox had already "cached" something in memory.

Now I restart Firefox (keeping no proxy option). And then if I access the site, it opened fine.

So it looks like if you access the site with proxy on then it fails, and it fails even after you disable proxy. If you restart Firefox with "no proxy" then site starts working!

Dont know if its a bug or that is how its supposed to happen.
Not really worthwhile after bug 1084025 is fixed.
Last Resolved: 4 years ago
Depends on: 1084025
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.