Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Trunk: Please watch out for regressions with secure sites

1 view
Skip to first unread message

Kai Engert

unread,
Apr 5, 2006, 5:18:13 PM4/5/06
to
Yesterday we checked in a larger change to the trunk that affects secure
connections (SSL/TLS) in all Mozilla applications.

The new code is active whenever you access a site using a protocol like
https:// or imap+ssl or smtp+tls, etc.

The purpose of the change is to make OCSP (certificate validation) work
through proxies (see bug 111384).

When testing nightly trunk builds of Firefox, Thunderbird or SeaMonkey,
please report any regressions in bugzilla.mozilla.org to the
"Core/Security PSM" component.

Should the change have introduced regressions to SSL/TLS, you should run
into them, regardless whether you actually use the OCSP feature.

However, if you'd like to test further, feel free to enable the "Use
OCSP to validate certificates that specify an OCSP service URL" feature.
Even if you're behind a firewall that requires the use of a proxy, it
should work with latest nightly trunk builds.

To enable go to:
Firefox: Edit/Prefs/Advanced/Security/Verification
Thunderbird: Edit/Prefs/Privacy/Security/Verification
SeaMonkey: Edit/Prefs/Privacy&Security/Validation

Thanks for your help!
Kai

steve....@gmail.com

unread,
Apr 8, 2006, 9:55:58 AM4/8/06
to
Is the error message ("Dearpark and secureads.ft.com can not
communicate securily because they have no common encryption
algorithms?") generated from
http://news.ft.com/cms/s/257d272e-c665-11da-99fa-0000779e2340.html
anything to do with this?

Nelson B. Bolyard

unread,
Apr 8, 2006, 1:00:21 PM4/8/06
to dev-tec...@lists.mozilla.org

No, https://secureads.ft.com/ is an OLD "export" version of the Netscape
Enterprise Server, version 3.6, which only was capable of the old "40-bit"
cipher suites. Those 40-bit cipher suites are now disabled by default
in deerpark. AFAIK, that has nothing to do with Kai's recent work.

Thanks for reporting that site.
--
Nelson B

Wan-Teh Chang

unread,
Apr 10, 2006, 2:06:27 PM4/10/06
to dev-tec...@lists.mozilla.org
Nelson B. Bolyard wrote:
> No, https://secureads.ft.com/ is an OLD "export" version of the Netscape
> Enterprise Server, version 3.6, which only was capable of the old "40-bit"
> cipher suites. Those 40-bit cipher suites are now disabled by default
> in deerpark. AFAIK, that has nothing to do with Kai's recent work.
>
> Thanks for reporting that site.

Yes, this is a known issue with that site:
https://bugzilla.mozilla.org/show_bug.cgi?id=332667

Kai Engert has sent a message to the webmaster of that
site.

Wan-Teh

0 new messages