Evergreen

XUL staff client does not support TLS above 1.0

Bug #1547668 reported by Bill Erickson on 2016-02-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Evergreen	Won't Fix	Undecided	Unassigned

Bug Description

Opening this bug for documentation purposes.

The version of XULRunner used by Evergreen (version 14) supports TLS version 1.0, but not versions 1.1 or 1.2. TLS version 1.0 is effectively deprecated. For example, it's no longer considered sufficient for PCI compliance:

https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement_v1.pdf

For reference, support for later versions was added to FF/XUL as part of this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=733642

You can test this by modifying (on Ubuntu) /etc/apache2/mods-enabled/ssl.conf and setting SSLProtocol like so and restarting Apache:

SSLProtocol TLSv1.1 TLSv1.2

Once done, if you connect with the XUL client, it will report "There was an error testing this hostname". Adding an SSL Exception is not an option.

We are of course already working to move away from XULRunner. I'm documenting this issue as one more reason it's important to continue this effort with all due haste. Also, someone may point out that I'm wrong and that there is in fact a way to resolve this issue while we are still using XULRunner.

Tags:

Bill Erickson (berick) on 2018-02-28

Changed in evergreen:
status:	New → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.