#2084 Implement safe SSL renegotiation (RFC 5746) on remaining HTTP servers
Closed: Fixed None Opened 10 years ago by mattmccutchen.

= phenomenon =
In Firefox with security.ssl.treat_unsafe_negotiation_as_broken set to true, https://koji.fedoraproject.org and https://cvs.fedoraproject.org do not get the blue SSL badge.

= reason =
Those servers do not support safe renegotiation (RFC 5746). They probably are not vulnerable to the renegotiation attack (CVE-2009-3555) because they refuse client-initiated renegotiation and I don't know of any circumstance in which they would perform server-initiated renegotiation. However, there's no way for Firefox to know that, and standardizing an extension for that specific purpose short of full RFC 5746 would be silly.

= recommendation =
Update the web server once a suitable version becomes available (see [https://bugzilla.redhat.com/show_bug.cgi?id=579311 bug 579311]).

koji and cvs appear to be fixed now, lists still isn't.

Login to comment on this ticket.