Comment 1 Martin Thomson [:mt] 2014-10-16 11:54:59 PDT

https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=206302046e27

Comment 2 Martin Thomson [:mt] 2014-10-16 12:05:40 PDT

Created attachment 8506326 [details] [diff] [review]
0001-Bug-1083058-Adding-pref-to-control-TLS-version-fallb.patch

Carrying r=keeler from bug 1076983 attachment 8501520 [details] [diff] [review].

Approval Request Comment
[Feature/regressing bug #]: 1083058
[User impact if declined]:

I think that this patch should follow bug 1076983 out, though perhaps not as far back as ESR.  The risk is that someone uses a pref to enable SSLv3 for specific sites (enterprise cases in particular).  That opens those users up to POODLE attacks due to our insecure downgrade.  This prevents the insecure downgrade to SSLv3.

Furthermore, if bug 1076983 reveals breakage in sites that we can't tolerate.  We can back that out and get the limited protection that this patch offers.

[Describe test coverage new/current, TBPL]:

New unit tests (in patch); tbpl (comment 1); manual testing.

[Risks and why]: Without bug 1076983, this will break site compatibility with sites that only offer a TLS-intolerant SSLv3 stack.  This is a strict subset of the sites affected by disabling SSLv3 entirely (bug 1076983).

[String/UUID change made/needed]: None

Note: different patches are required for older releases.

Comment 3 Martin Thomson [:mt] 2014-10-16 17:17:56 PDT

Created attachment 8506521 [details] [diff] [review]
1083058-beta.patch

Rebased to beta.

Approval Request Comment, see comment 2

Comment 4 Masatoshi Kimura [:emk] 2014-10-16 21:49:07 PDT

*** Bug 689814 has been marked as a duplicate of this bug. ***

Comment 5 Lawrence Mandel [:lmandel] (use needinfo) 2014-10-17 18:14:27 PDT

Is the plan only to land this on 34 or do you want this in 34+? Also, isn't the primary audience for this change enterprises, who, unless we backport, won't get this change on ESR until June 2015 at the earliest?

Comment 6 Martin Thomson [:mt] 2014-10-17 20:23:05 PDT

All of which are good questions.  Aren't we porting bug 1076983 to ESR 31.3?  I think that that would cover that aspect.  Basically, I think that this should follow 1076983.  ESR primarily for the reasons you note.  That means I should probably ask for approval for all the b2g variants too.

Comment 7 Lawrence Mandel [:lmandel] (use needinfo) 2014-10-19 19:51:42 PDT

Should this wait to land until bug 1076983 lands?

Note that I would still like to see this land on m-c first and only uplift after the change is verified to be good.

Comment 8 Martin Thomson [:mt] 2014-10-20 04:03:20 PDT

Yes, waiting sounds prudent.

I'll land this on m-c shortly.  Let's give it a few days to settle there before it goes anywhere else.

Comment 9 Martin Thomson [:mt] 2014-10-20 04:41:35 PDT

Saw a couple of problems in the first, limited try run.  Nothing direct, so I'm giving this more chances to fail.  https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=eef2fcb97048

Comment 10 Martin Thomson [:mt] 2014-10-21 06:09:47 PDT

https://hg.mozilla.org/integration/mozilla-inbound/rev/b468088751c1

Comment 11 Ryan VanderMeulen [:RyanVM UTC-4] 2014-10-21 12:29:29 PDT

https://hg.mozilla.org/mozilla-central/rev/b468088751c1

Comment 12 Ryan VanderMeulen [:RyanVM UTC-4] 2014-10-22 18:31:07 PDT

https://hg.mozilla.org/releases/mozilla-aurora/rev/28cee61603fa
https://hg.mozilla.org/releases/mozilla-beta/rev/ae15f14a1db1

Comment 13 Florian Bender 2014-10-23 13:01:24 PDT

[Tracking Requested - why for this release]: per comment 6

Comment 14 Cykesiopka 2015-02-03 04:18:30 PST

*** Bug 634499 has been marked as a duplicate of this bug. ***