Closed Bug 937789 Opened 6 years ago Closed 6 years ago

SSL/TLS Ciphers no longer shown in about:config

Categories

(Core Graveyard :: Security: UI, defect)

defect
Not set

Tracking

(firefox26 unaffected, firefox27 verified, firefox28 verified)

VERIFIED FIXED
mozilla28
Tracking Status
firefox26 --- unaffected
firefox27 --- verified
firefox28 --- verified

People

(Reporter: stebs, Assigned: steffen.wilberg)

References

Details

(Keywords: regression, Whiteboard: [good first bug])

Attachments

(1 file, 2 obsolete files)

about:config -> ssl3 no longer shows any ciphers at all (only those that were manually modified previously)

https://cc.dcsec.uni-hannover.de/ shows that all is well however, so it's only a "not shown in about:config" Bug.
With Nightly 2013-11-08 all was well.

I hope this is not intentional, for example disabling RC4 was very easy before...
these preferences was removed by Bug 934663
Blocks: 934663
(In reply to Alice0775 White from comment #1)
> these preferences was removed by Bug 934663

The prefs were not removed, just hidden. We can consider adding them back to about:config (unhiding them). I will accept a patch to do that. Take a look at the patch in bug 934663. Part of the patch for this bug would be to undo the changes to security-prefs.js, but also some things would need to be changed (e.g. adding prefs for the AES-GCM cipher suites, and changing some of the default values based on the changes made to the array in nsNSSComponent.cpp).
Whiteboard: [good first bug]
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attached patch patch (obsolete) — Splinter Review
This is a straight copy from nsNSSComponent.cpp, including the ordering, the default values and the comments.

Should be free from syntax errors because Firefox doesn't crash on startup anymore since I found the missing comma ;-)
Assignee: nobody → steffen.wilberg
Status: NEW → ASSIGNED
Attachment #8340779 - Flags: review?(brian)
OS: Linux → All
Hardware: x86_64 → All
Comment on attachment 8340779 [details] [diff] [review]
patch

Review of attachment 8340779 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for the patch. Could you please submit one without the comments in the security-prefs.js file? I think comments are OK but it seems like we avoid including comments in these files for some reason--probably to minimize memory usage and/or parse time during startup.

::: netwerk/base/public/security-prefs.js
@@ +15,5 @@
>  pref("security.ssl.enable_false_start", true);
>  pref("security.ssl.false_start.require-npn", true);
>  pref("security.ssl.false_start.require-forward-secrecy", true);
>  
> +// Cipher suites enabled by default

It is better to avoid the comments (including the "deprecated" comments), given that there are no other comments in the file. Just separate the disabled-by-default cipher suites and enabled-by-default cipher suites with a single blank line.
Attachment #8340779 - Flags: review?(brian) → review-
Attached patch without comments (obsolete) — Splinter Review
Here you are.
Note that we do have a lot of comments (more than 400) in the main Firefox prefs file:
http://mxr.mozilla.org/mozilla-central/source/browser/app/profile/firefox.js
Attachment #8340779 - Attachment is obsolete: true
Attachment #8341952 - Flags: review?(brian)
Removed the security.ssl3.ecdh_* prefs per bug 945871.
Attachment #8341952 - Attachment is obsolete: true
Attachment #8341952 - Flags: review?(brian)
Attachment #8341964 - Flags: review?(brian)
Attachment #8341964 - Flags: review?(brian) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/a71ebc7f1bb4

To verify:

1. Visit https://www.mikestoolbox.net (override the certificate error).
2. note that there are several cipher suites listed that include "RC4"
3. go to about:config
4. search for "rc4" in the prefs search box.
5. switch all the "security.ssl3.*.rc4.*" prefs from true to false.
6. Visit https://www.mikestoolbox.net again.
7. Shift+Reload if necessary.
8. Notice that there are no "RC4" cipher suites listed any more.
9. Flip all the prefs you changed back to "true"
10. Verify that all the cipher suites show up again after reloading that web page.

(In reply to Steffen Wilberg from comment #5)
> Here you are.
> Note that we do have a lot of comments (more than 400) in the main Firefox
> prefs file:
> http://mxr.mozilla.org/mozilla-central/source/browser/app/profile/firefox.js

So there are. I guess I'd like comments but I don't care enough to figure out what problems could be introduced by adding them to this file, so let's just leave them out.

Thanks for updating the patch based on bug 945871 too.
Target Milestone: --- → mozilla28
Comment on attachment 8341964 [details] [diff] [review]
without comments and without security.ssl3.ecdh_*

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 934663
User impact if declined: Users won't be able to easily enable/disable cipher suites in about:config like they have always been able to do.
Testing completed (on m-c, etc.): I tested this manually by following the steps I listed in the previous comment.
Risk to taking this patch (and alternatives if risky): No risk. The prefs already exist. This is just un-hiding them.

String or IDL/UUID changes made by this patch: none.
Attachment #8341964 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/a71ebc7f1bb4
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Attachment #8341964 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
I was able to verify the fix for this issue on Windows 7 x64 using the instructions provided by Brian in Comment 7 with:
- Aurora 28.0a2 (BuildID: 20131211004000): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
- Firefox 27.0b1 (BuildID: 20131209204824): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
- latest Nightly (BuildID: 20131211030206): Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:29.0) Gecko/20100101 Firefox/29.0
- latest Aurora (BuildID: 20131209004003): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0.
Status: RESOLVED → VERIFIED
Keywords: verifyme
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.