New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 5 users

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug



Sign in to add a comment
link

Issue 436391: Add info on end of life of SSLVersionFallbackMin & SSLVersionMin policy in documentation

Reported by saswat@chromium.org, Nov 25 2014 Project Member

Issue description

Version: 39-44
OS: All

http://www.chromium.org/administrators/policy-list-3#SSLVersionFallbackMin

For SSLVersionFallbackMin & SSLVersionMin policies, please add the following Warning sentence at the start of the Description.

"Warning: This policy is a temporary measure and will only take effect until Chrome version 44 (around July 2015). SSLv3 support will be entirely removed from Chrome thereafter."
 

Comment 1 by saswat@chromium.org, Nov 25 2014

Correction, we cant make the warning for the entire policy, it applies only to the 'ssl3' setting.

So please put it at the end of the description w the following text:
 
"Warning: Setting this policy to 'ssl3' is a temporary measure and will only take effect until Chrome version 44 (around July 2015). SSLv3 support will be entirely removed from Chrome thereafter and TLS 1.0 will be the default."

Comment 2 by tnagel@chromium.org, Nov 25 2014

I wouldn't want to promise that TLS 1.0 will be the new default.  That decision should be taken by the security folks and if new vulnerabilities are discovered in the mean time, it might not be TLS 1.0.  Thus I'd suggest the following text:

Warning: SSLv3 support will be entirely removed from Chrome in version 44 (around July 2015) after which the setting "ssl3" will be ignored in favor of the then-current default.

Adam:  At the moment we document the default for the minimum ssl version as "SSLv3 in Chrome 39 but may be TLS 1.0 in Chrome 40".  It would be great if we could be more specific.  Have we decided the default for M40, yet?

Comment 3 by bugdroid1@chromium.org, Nov 28 2014

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1481769622de486860fd291a72ddcad46b0a25e9

commit 1481769622de486860fd291a72ddcad46b0a25e9
Author: tnagel <tnagel@chromium.org>
Date: Fri Nov 28 17:51:45 2014

policy_templates.json: Document full removal of SSLv3 after M43.

BUG= 436391 

Review URL: https://codereview.chromium.org/762173003

Cr-Commit-Position: refs/heads/master@{#306100}

[modify] http://crrev.com/1481769622de486860fd291a72ddcad46b0a25e9/components/policy/resources/policy_templates.json

Comment 4 by bugdroid1@chromium.org, Dec 1 2014

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/57cd3b0d772cbe663971e1c954c206cf5caa8538

commit 57cd3b0d772cbe663971e1c954c206cf5caa8538
Author: tnagel <tnagel@chromium.org>
Date: Mon Dec 01 11:16:27 2014

policy_templates.json: Document SSL default for M40.

At that occasion: polish the wording a bit.

BUG= 436391 

Review URL: https://codereview.chromium.org/743903003

Cr-Commit-Position: refs/heads/master@{#306172}

[modify] http://crrev.com/57cd3b0d772cbe663971e1c954c206cf5caa8538/components/policy/resources/policy_templates.json

Comment 5 by tnagel@chromium.org, Dec 1 2014

Status: Fixed
Fixed in policy_templates.json and updated https://sites.google.com/a/chromium.org/dev/administrators/policy-list-3 .

Comment 6 by agl@chromium.org, Dec 1 2014

> Adam:  At the moment we document the default for the minimum ssl version as "SSLv3 in Chrome 39 but may be TLS 1.0 in Chrome 40".  It would be great if we could be more specific.  Have we decided the default for M40, yet?

The default for M40 is to have SSLv3 disabled, but it remains to be seen whether it'll stick. In short, we don't know any more specifically yet.

Comment 7 by tnagel@chromium.org, Jan 28 2015

Labels: -Pri-2 Pri-1 ReleaseBlock-Beta M-42
Status: Started
Re-opening because in variance with #1 the deprecation was applied to the whole policy instead of just the ssl3 part which due to  bug 451073  gave rise to  bug 450869 .

Comment 8 by agl@chromium.org, Jan 28 2015

Re #7: my plan was to remove these policy options completely around the Chrome 44 timeline.

Comment 9 by tnagel@chromium.org, Jan 28 2015

Cc: saswat@chromium.org
What's the reasoning behind this plan?

I'd rather keep the policy so that we can react quickly if - say - a critical flaw in TLS 1.0 was disclosed.

Comment 10 by agl@chromium.org, Jan 28 2015

If TLS 1.0 falls we have bigger problems. My feeling is that this is excess complexity that shouldn't be kept without good reason.

Comment 11 by tnagel@chromium.org, Jan 29 2015

I'm all for reducing complexity.  Drew, Saswat, do you have any objections to removing the SSLVersion*Min policies together with the SSLv3 code?

Comment 12 by atwilson@chromium.org, Jan 29 2015

Cc: mnissler@chromium.org
I don't object to deprecating these policies, but we'd need to do two things first:

1) If this policy is exposed via cpanel, see how many domains are using these policies and would have their browser behavior impacted by removing them (i.e. if they have more restrictive values than our default).

2) Go through our standard policy deprecation process, with timelines + notification to admins (important for GPO users where we don't have any visibility into their use).

Comment 13 by tnagel@chromium.org, Jan 29 2015

Labels: -ReleaseBlock-Beta
After offline discussion with atwilson@, mnissler@, and saswat@ there's general agreement to remove the policy for M44.

This means that ReleaseBlock-Beta moves back to  issue 451073  because we can't fix it here.  The work that remains on this bug is to clarify all documentation that the whole policy (and not just the ssl3 setting) is going to be removed.

Comment 14 by bugdroid1@chromium.org, Feb 6 2015

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f5bb896da6b0be9f55f61253c550bfe8187c1eee

commit f5bb896da6b0be9f55f61253c550bfe8187c1eee
Author: tnagel <tnagel@chromium.org>
Date: Fri Feb 06 13:34:43 2015

Fix documentation of SSLVersion*Min policies.

For Chromium 44 not only SSLv3 support but also the policies that allow
to control SSL/TLS versions will be removed.

BUG= 436391 

Review URL: https://codereview.chromium.org/899973005

Cr-Commit-Position: refs/heads/master@{#315021}

[modify] http://crrev.com/f5bb896da6b0be9f55f61253c550bfe8187c1eee/components/policy/resources/policy_templates.json

Comment 15 by tnagel@chromium.org, Feb 6 2015

Status: Fixed

Sign in to add a comment