Closed Bug 970453 Opened 11 years ago Closed 9 years ago

Potential False Negative for TLS safe renegotiation detection

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: jrconlin, Unassigned)

References

Details

Users connecting to a golang based TLS server will see the following message: E/GeckoConsole( 301): [JavaScript Error: "push.services.mozilla.com : server does not support RFC 5746, see CVE-2009-3555"] Looking at the history for this bug, it appears that there was an issue surrounding cert renegotiations: https://bugzilla.mozilla.org/show_bug.cgi?id=526689#c8 the golang TLS code does not support any renegotiations, opting to error the connection if one is attempted: http://golang.org/src/pkg/crypto/tls/conn.go#518 I believe that the flag detection only looks to see if the server supports safe renegotiation to indicate that there is a potential issue. http://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNSSCallbacks.cpp#1180 It may be necessary to amend the detection to also permit servers that provide no renegotiation, since this would also prevent any renegotiation based attacks.
Ping? We're seeing mobile devices being effected by this bug. Can I please have some resolution?
Component: Security → Security: PSM
Product: Firefox → Core
See Also: → 1140384
We can't assume the server is doing the right thing in these cases (see https://tools.ietf.org/html/rfc5746#section-4.1 ).
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.