Bug#611461: iceweasel still does insecure ssl renegotiation?!

Stefan Fritsch sf at sfritsch.de
Sat Jan 29 17:47:38 UTC 2011

On Saturday 29 January 2011, Christoph Anton Mitterer wrote:
> It seems that iceweasel still is vulnerable to the SSL
> renegotiation attack, as simply is configured per default to allow
> the vulnerable renegotiation:

This has to be balanced between compatibility and security. Currently 
less than 50% of the servers on the internet are patched. So it is 
sensible to not deny renegotiation for unpatched servers. 

Patched servers usually won't allow insecure renegotiation, anyway. 
There are also many servers that don't allow renegotiation at all. So 
the problem is mostly about the browser knowing if the remote server 
is secure.

> security.ssl.require_safe_negotiation;true

FWIW, this setting is about negotiation, not about _re_negotiation.

You probably want to change

It will take a lot longer until security.ssl.require_safe_negotiation 
can be switched on by default. Look at how long it took for SSLv2 to 

More information about the pkg-mozilla-maintainers mailing list