Closed Bug 937789 Opened 7 years ago Closed 7 years ago
SSL/TLS Ciphers no longer shown in about:config
about:config -> ssl3 no longer shows any ciphers at all (only those that were manually modified previously) https://cc.dcsec.uni-hannover.de/ shows that all is well however, so it's only a "not shown in about:config" Bug. With Nightly 2013-11-08 all was well. I hope this is not intentional, for example disabling RC4 was very easy before...
(In reply to Alice0775 White from comment #1) > these preferences was removed by Bug 934663 The prefs were not removed, just hidden. We can consider adding them back to about:config (unhiding them). I will accept a patch to do that. Take a look at the patch in bug 934663. Part of the patch for this bug would be to undo the changes to security-prefs.js, but also some things would need to be changed (e.g. adding prefs for the AES-GCM cipher suites, and changing some of the default values based on the changes made to the array in nsNSSComponent.cpp).
Whiteboard: [good first bug]
This is a straight copy from nsNSSComponent.cpp, including the ordering, the default values and the comments. Should be free from syntax errors because Firefox doesn't crash on startup anymore since I found the missing comma ;-)
Assignee: nobody → steffen.wilberg
Status: NEW → ASSIGNED
Attachment #8340779 - Flags: review?(brian)
Comment on attachment 8340779 [details] [diff] [review] patch Review of attachment 8340779 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for the patch. Could you please submit one without the comments in the security-prefs.js file? I think comments are OK but it seems like we avoid including comments in these files for some reason--probably to minimize memory usage and/or parse time during startup. ::: netwerk/base/public/security-prefs.js @@ +15,5 @@ > pref("security.ssl.enable_false_start", true); > pref("security.ssl.false_start.require-npn", true); > pref("security.ssl.false_start.require-forward-secrecy", true); > > +// Cipher suites enabled by default It is better to avoid the comments (including the "deprecated" comments), given that there are no other comments in the file. Just separate the disabled-by-default cipher suites and enabled-by-default cipher suites with a single blank line.
Attachment #8340779 - Flags: review?(brian) → review-
Here you are. Note that we do have a lot of comments (more than 400) in the main Firefox prefs file: http://mxr.mozilla.org/mozilla-central/source/browser/app/profile/firefox.js
Removed the security.ssl3.ecdh_* prefs per bug 945871.
Attachment #8341964 - Flags: review?(brian) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/a71ebc7f1bb4 To verify: 1. Visit https://www.mikestoolbox.net (override the certificate error). 2. note that there are several cipher suites listed that include "RC4" 3. go to about:config 4. search for "rc4" in the prefs search box. 5. switch all the "security.ssl3.*.rc4.*" prefs from true to false. 6. Visit https://www.mikestoolbox.net again. 7. Shift+Reload if necessary. 8. Notice that there are no "RC4" cipher suites listed any more. 9. Flip all the prefs you changed back to "true" 10. Verify that all the cipher suites show up again after reloading that web page. (In reply to Steffen Wilberg from comment #5) > Here you are. > Note that we do have a lot of comments (more than 400) in the main Firefox > prefs file: > http://mxr.mozilla.org/mozilla-central/source/browser/app/profile/firefox.js So there are. I guess I'd like comments but I don't care enough to figure out what problems could be introduced by adding them to this file, so let's just leave them out. Thanks for updating the patch based on bug 945871 too.
Target Milestone: --- → mozilla28
Comment on attachment 8341964 [details] [diff] [review] without comments and without security.ssl3.ecdh_* [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 934663 User impact if declined: Users won't be able to easily enable/disable cipher suites in about:config like they have always been able to do. Testing completed (on m-c, etc.): I tested this manually by following the steps I listed in the previous comment. Risk to taking this patch (and alternatives if risky): No risk. The prefs already exist. This is just un-hiding them. String or IDL/UUID changes made by this patch: none.
Attachment #8341964 - Flags: approval-mozilla-aurora?
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Attachment #8341964 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
I was able to verify the fix for this issue on Windows 7 x64 using the instructions provided by Brian in Comment 7 with: - Aurora 28.0a2 (BuildID: 20131211004000): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 - Firefox 27.0b1 (BuildID: 20131209204824): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 - latest Nightly (BuildID: 20131211030206): Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:29.0) Gecko/20100101 Firefox/29.0 - latest Aurora (BuildID: 20131209004003): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0.
You need to log in before you can comment on or make changes to this bug.