Closed
Bug 919677
Opened 11 years ago
Closed 11 years ago
NSS advertises TLS 1.2 ciphersuites in a TLS 1.1 ClientHello
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.15.3
People
(Reporter: ryan.sleevi, Assigned: agl)
References
Details
(Keywords: regression)
Attachments
(1 file)
(deleted),
patch
|
wtc
:
review+
|
Details | Diff | Splinter Review |
NSS advertises SHA-256 ciphersuites with a TLS 1.1 ClientHello.
This breaks interop with PolarSSL servers because they also have a bug - they accept the SHA-256 ciphersuite and then break because they negotiated TLS 1.1
Reporter | ||
Comment 1•11 years ago
|
||
Originally reported by Adam Langley against Chromium at https://code.google.com/p/chromium/issues/detail?id=297151
Comment 2•11 years ago
|
||
Is the problem that the PolarSSL server breaks itself by negotiating a SHA-256 ciphersuite and then has some internal error? Or, is the problem that the PolarSSL server negotiates a SHA-256 cipher suite and then we, the NSS client refuses to continue because SHA-256 is not allowed?
If it is the former, then that sucks pretty bad. If it is the latter, then IMO we should just try to keep going with the SHA-256 cipher suite even on a TLS 1.1 connection, treating it like a TLS 1.2 connection except for the on-the-wire record version numbers.
Comment 3•11 years ago
|
||
Fixed title.
Summary: NSS advertises TLS 1.2 ciphersuites in a TLS 1.2 ClientHello → NSS advertises TLS 1.2 ciphersuites in a TLS 1.1 ClientHello
Assignee | ||
Comment 4•11 years ago
|
||
Initially I thought that PolarSSL was picking a SHA256 cipher suite and then falling over its own shoelaces, but having looked at the NSS code, I'm now not sure. NSS doesn't check the version when sending the cipher suites in the ClientHello, but does check the version when processing the ServerHello, so it's possible that it's NSS that's breaking when Polar sends a SHA256 cipher suite back.
I don't have an example PolarSSL server to be sure however. I tried https://polarssl.org, but it doesn't exhibit this problem.
(Chromium patch: https://codereview.chromium.org/23928007/, out for Wan-Teh's review)
Assignee | ||
Comment 5•11 years ago
|
||
I confirmed with the PolarSSL folks that the issue is that NSS chokes on the SHA256 ciphersuite in the ServerHello. It's not an internal, PolarSSL error.
Comment 6•11 years ago
|
||
Is this what's ironically preventing me from viewing https://www.imperialviolet.org/2013/03/20/alpn.html in Firefox 27.0a1?
Secure Connection Failed
An error occurred during a connection to www.imperialviolet.org. SSL peer selected a cipher suite disallowed for the selected protocol version. (Error code: ssl_error_cipher_disallowed_for_version)
Gerv
Assignee | ||
Comment 7•11 years ago
|
||
(In reply to Gervase Markham [:gerv] from comment #6)
> Is this what's ironically preventing me from viewing
> https://www.imperialviolet.org/2013/03/20/alpn.html in Firefox 27.0a1?
Yes, I'm running a prerelease Go 1.2 on that server. It's on my todo list now to not try selecting these cipher suites out-of-version.
Comment 8•11 years ago
|
||
This patch has been reviewed by me at https://codereview.chromium.org/23928007/.
Attachment #810029 -
Flags: review+
Comment 9•11 years ago
|
||
Patch checked in: https://hg.mozilla.org/projects/nss/rev/203eb8e22a97
Severity: normal → major
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Priority: P2 → P1
Resolution: --- → FIXED
Version: trunk → 3.15.1
Comment 10•11 years ago
|
||
We need this landed to mozilla-central (and possibly uplifted to mozilla-aurora if there's time and it's low risk). Can you prepare the patch & mark for checkin?
Flags: needinfo?(agl)
Comment 11•11 years ago
|
||
lsblakk: yes, Brian Smith or I can prepare a NSS 3.15.3 Beta 1 release and push it to
mozilla-central.
Flags: needinfo?(agl)
Comment 12•11 years ago
|
||
Kai: this bug should be considered a regression in NSS 3.15.1.
We should include the fix in NSS 3.15.3. Thanks.
Updated•11 years ago
|
Keywords: regression
Comment 13•11 years ago
|
||
(In reply to Wan-Teh Chang from comment #12)
> Kai: this bug should be considered a regression in NSS 3.15.1.
> We should include the fix in NSS 3.15.3. Thanks.
I agree, I had suggested the same on our list, and I've included it in the NSS_3_15_3_BETA3 tag already.
It's included, because the branch is based on revision 10853:eeb277ec054c, which came after the landing of this bug in revision 10852:203eb8e22a97
Comment 14•11 years ago
|
||
(I agree it would have been clearer, if I had used NSS_3_15_2_RTM as the base for the branch. But I had followed your proposal to use a more recent snapshot, if possible, and that revision seemed appropriate, as it contained only the version number change and the checkin for this bug.)
Comment 15•11 years ago
|
||
Can someone tell me if there is a reason why this issue, fixed in NSS 3.15.3, doesn't have a CVE assigned?
I'm writing an advisory for the NSS update in the current release and want to reference bugs/CVEs that we addressed with the NSS update.
Comment 16•11 years ago
|
||
(In reply to Al Billings [:abillings] from comment #15)
> Can someone tell me if there is a reason why this issue, fixed in NSS
> 3.15.3, doesn't have a CVE assigned?
This is a compatibility bug, not a security bug.
Comment 17•11 years ago
|
||
All right. This won't be called out then.
Comment 18•11 years ago
|
||
Al: this bug is fixed in NSS 3.15.3 because it is a regression.
You need to log in
before you can comment on or make changes to this bug.
Description
•