New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2015
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Merge change to reject DHE for False Start

Project Member Reported by agl@chromium.org, Apr 6 2015

Issue description

We expect the weak-DH work to go public during the lifetime of M42 so wish to merge the change to disable False Start for DHE before M42 goes stable.

Merging will require merging https://codereview.chromium.org/1057733002/ to the branch and updating the branch DEPS for BoringSSL from 367545d0b46d2b8a494af69ec086df325d04de11 to b8cbbec76bb6e8c0b7cbd20bba06a1516ef26c23.

amineer: please see email thread "May need to merge False Start DHE change for M42."
 
Note:  issue #460271  will get a bugdroid mail unless the BUG= line is elided or swapped for this one when merging the Chromium-side change.

Comment 2 by amin...@google.com, Apr 6 2015

Labels: -Merge-Requested Merge-Review Hotlist-Merge-Review
[Automated comment] No bugdroid (commit) comments found, couldn't auto-approve, needs manual review.
Labels: -Merge-Review Merge-Approved
merge approved for m42 branch 2311

Comment 4 by agl@chromium.org, Apr 6 2015

I can merge the change to the branch, but how do I update the branch DEPS?
Project Member

Comment 5 by bugdroid1@chromium.org, Apr 6 2015

Labels: -Merge-Approved merge-merged-2311
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bbf0183022423d02d3cc3f523fea1c84ddcabd23

commit bbf0183022423d02d3cc3f523fea1c84ddcabd23
Author: Adam Langley <agl@google.com>
Date: Mon Apr 06 21:31:54 2015

Require ECDHE for False Start.

This adds just enough of an implementation of ECDHE_RSA to tlslite to
support it on the server side.

Branch DEPS for BoringSSL were updated in r71429. That pulls in the
corresponding BoringSSL change.

BUG= 474254 

Review URL: https://codereview.chromium.org/1057733002

(cherry picked from commit 8f7efab800fc6987499c5365fce22349e3a4ef50)

Cr-Commit-Position: refs/branch-heads/2311@{#432}
Cr-Branched-From: 09b7de5dd7254947cd4306de907274fa63373d48-refs/heads/master@{#317474}

[modify] http://crrev.com/bbf0183022423d02d3cc3f523fea1c84ddcabd23/DEPS
[modify] http://crrev.com/bbf0183022423d02d3cc3f523fea1c84ddcabd23/net/socket/ssl_client_socket_nss.cc
[modify] http://crrev.com/bbf0183022423d02d3cc3f523fea1c84ddcabd23/net/socket/ssl_client_socket_unittest.cc
[modify] http://crrev.com/bbf0183022423d02d3cc3f523fea1c84ddcabd23/net/ssl/ssl_cipher_suite_names.cc
[modify] http://crrev.com/bbf0183022423d02d3cc3f523fea1c84ddcabd23/net/ssl/ssl_cipher_suite_names.h
[modify] http://crrev.com/bbf0183022423d02d3cc3f523fea1c84ddcabd23/net/test/spawned_test_server/base_test_server.cc
[modify] http://crrev.com/bbf0183022423d02d3cc3f523fea1c84ddcabd23/net/test/spawned_test_server/base_test_server.h
[modify] http://crrev.com/bbf0183022423d02d3cc3f523fea1c84ddcabd23/net/tools/testserver/testserver.py
[modify] http://crrev.com/bbf0183022423d02d3cc3f523fea1c84ddcabd23/third_party/boringssl/boringssl.gypi
[modify] http://crrev.com/bbf0183022423d02d3cc3f523fea1c84ddcabd23/third_party/boringssl/boringssl_tests.gypi
[modify] http://crrev.com/bbf0183022423d02d3cc3f523fea1c84ddcabd23/third_party/boringssl/boringssl_unittest.cc
[modify] http://crrev.com/bbf0183022423d02d3cc3f523fea1c84ddcabd23/third_party/boringssl/update_gypi_and_asm.py
[modify] http://crrev.com/bbf0183022423d02d3cc3f523fea1c84ddcabd23/third_party/tlslite/README.chromium
[add] http://crrev.com/bbf0183022423d02d3cc3f523fea1c84ddcabd23/third_party/tlslite/patches/ecdhe_rsa.patch
[modify] http://crrev.com/bbf0183022423d02d3cc3f523fea1c84ddcabd23/third_party/tlslite/tlslite/constants.py
[modify] http://crrev.com/bbf0183022423d02d3cc3f523fea1c84ddcabd23/third_party/tlslite/tlslite/handshakesettings.py
[modify] http://crrev.com/bbf0183022423d02d3cc3f523fea1c84ddcabd23/third_party/tlslite/tlslite/messages.py
[modify] http://crrev.com/bbf0183022423d02d3cc3f523fea1c84ddcabd23/third_party/tlslite/tlslite/tlsconnection.py
[add] http://crrev.com/bbf0183022423d02d3cc3f523fea1c84ddcabd23/third_party/tlslite/tlslite/utils/p256.py

Comment 6 by agl@chromium.org, Apr 6 2015

Status: Fixed
Project Member

Comment 7 by bugdroid1@chromium.org, Apr 6 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/249d45959a6c4e3f291a9d43e8953cf6740df50d

commit 249d45959a6c4e3f291a9d43e8953cf6740df50d
Author: Adam Langley <agl@google.com>
Date: Mon Apr 06 22:13:40 2015

Fix up merge in r317474.

I got my gyp flags in a tangle and thought that I was building and
testing use_openssl=1 when I wasn't. The original merged change pulled
in a lot more BoringSSL changes than were merged to the BoringSSL 2311
branch and included build changes that don't work on the branch.

Also, fix a couple of tests that don't exist on trunk any longer.

BUG= 474254 

Cr-Commit-Position: refs/branch-heads/2311@{#435}
Cr-Branched-From: 09b7de5dd7254947cd4306de907274fa63373d48-refs/heads/master@{#317474}

[modify] http://crrev.com/249d45959a6c4e3f291a9d43e8953cf6740df50d/net/socket/ssl_client_socket_unittest.cc
[modify] http://crrev.com/249d45959a6c4e3f291a9d43e8953cf6740df50d/third_party/boringssl/boringssl.gypi
[modify] http://crrev.com/249d45959a6c4e3f291a9d43e8953cf6740df50d/third_party/boringssl/boringssl_tests.gypi
[modify] http://crrev.com/249d45959a6c4e3f291a9d43e8953cf6740df50d/third_party/boringssl/boringssl_unittest.cc

Project Member

Comment 8 by ClusterFuzz, Apr 6 2015

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: Security_Severity-Medium
Labels: Security_Impact-Stable
Labels: Release-0-M42
Project Member

Comment 12 by ClusterFuzz, Jul 14 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 13 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 14 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment