937789 - SSL/TLS Ciphers no longer shown in about:config

Status: VERIFIED FIXED

(Core Graveyard :: Security: UI, defect)

Description

[Stebs]

about:config -> ssl3 no longer shows any ciphers at all (only those that were manually modified previously)

https://cc.dcsec.uni-hannover.de/ shows that all is well however, so it's only a "not shown in about:config" Bug.
With Nightly 2013-11-08 all was well.

I hope this is not intentional, for example disabling RC4 was very easy before...

Comment 1

[Alice0775 White]

these preferences was removed by Bug 934663

Comment 2

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

(In reply to Alice0775 White from comment #1)
> these preferences was removed by Bug 934663

The prefs were not removed, just hidden. We can consider adding them back to about:config (unhiding them). I will accept a patch to do that. Take a look at the patch in bug 934663. Part of the patch for this bug would be to undo the changes to security-prefs.js, but also some things would need to be changed (e.g. adding prefs for the AES-GCM cipher suites, and changing some of the default values based on the changes made to the array in nsNSSComponent.cpp).

Comment 3

[Steffen Wilberg]

Attachment: patch

This is a straight copy from nsNSSComponent.cpp, including the ordering, the default values and the comments.

Should be free from syntax errors because Firefox doesn't crash on startup anymore since I found the missing comma ;-)

Comment 4

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

Comment on attachment 8340779 [details] [diff] [review]
patch

Review of attachment 8340779 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for the patch. Could you please submit one without the comments in the security-prefs.js file? I think comments are OK but it seems like we avoid including comments in these files for some reason--probably to minimize memory usage and/or parse time during startup.

::: netwerk/base/public/security-prefs.js
@@ +15,5 @@
>  pref("security.ssl.enable_false_start", true);
>  pref("security.ssl.false_start.require-npn", true);
>  pref("security.ssl.false_start.require-forward-secrecy", true);
>  
> +// Cipher suites enabled by default

It is better to avoid the comments (including the "deprecated" comments), given that there are no other comments in the file. Just separate the disabled-by-default cipher suites and enabled-by-default cipher suites with a single blank line.

Comment 5

[Steffen Wilberg]

Attachment: without comments

Here you are.
Note that we do have a lot of comments (more than 400) in the main Firefox prefs file:
http://mxr.mozilla.org/mozilla-central/source/browser/app/profile/firefox.js

Comment 6

[Steffen Wilberg]

Attachment: without comments and without security.ssl3.ecdh_*

Removed the security.ssl3.ecdh_* prefs per bug 945871.

Comment 7

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/a71ebc7f1bb4

To verify:

1. Visit https://www.mikestoolbox.net (override the certificate error).
2. note that there are several cipher suites listed that include "RC4"
3. go to about:config
4. search for "rc4" in the prefs search box.
5. switch all the "security.ssl3.*.rc4.*" prefs from true to false.
6. Visit https://www.mikestoolbox.net again.
7. Shift+Reload if necessary.
8. Notice that there are no "RC4" cipher suites listed any more.
9. Flip all the prefs you changed back to "true"
10. Verify that all the cipher suites show up again after reloading that web page.

(In reply to Steffen Wilberg from comment #5)
> Here you are.
> Note that we do have a lot of comments (more than 400) in the main Firefox
> prefs file:
> http://mxr.mozilla.org/mozilla-central/source/browser/app/profile/firefox.js

So there are. I guess I'd like comments but I don't care enough to figure out what problems could be introduced by adding them to this file, so let's just leave them out.

Thanks for updating the patch based on bug 945871 too.

Comment 8

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

Comment on attachment 8341964 [details] [diff] [review]
without comments and without security.ssl3.ecdh_*

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 934663
User impact if declined: Users won't be able to easily enable/disable cipher suites in about:config like they have always been able to do.
Testing completed (on m-c, etc.): I tested this manually by following the steps I listed in the previous comment.
Risk to taking this patch (and alternatives if risky): No risk. The prefs already exist. This is just un-hiding them.

String or IDL/UUID changes made by this patch: none.

Comment 9

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/a71ebc7f1bb4

Comment 10

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/9b1397fd2715

Comment 11

[Andrei Vaida [:avaida] - PTO, returning Oct 29]

I was able to verify the fix for this issue on Windows 7 x64 using the instructions provided by Brian in Comment 7 with:
- Aurora 28.0a2 (BuildID: 20131211004000): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
- Firefox 27.0b1 (BuildID: 20131209204824): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
- latest Nightly (BuildID: 20131211030206): Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:29.0) Gecko/20100101 Firefox/29.0
- latest Aurora (BuildID: 20131209004003): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0.