
Bug 1135561 – developer.palm.com returns SSL 3.0 ServerHello for TLS ClientHello - yuhong
https://bugzilla.mozilla.org/show_bug.cgi?id=1135561
======
sbierwagen
Might tweak the title: the bug was in developer.palm.com, Firefox only exposed
it first.

Rather than fix the server, HP (current owner of Palm's assets) just shut it
down.

~~~
dang
We changed the title from "The Mozilla Bugzilla bug that caused
developer.palm.com to shutdown (2015)".

~~~
yuhong
Still misleading. This server responded to a TLS 1.0 ClientHello with a TLS
1.0 ServerHello. That is what I mean by "TLS >1.0".

------
yuhong
Trivia: I took the email address from
[https://bugzilla.mozilla.org/show_bug.cgi?id=1154285](https://bugzilla.mozilla.org/show_bug.cgi?id=1154285)

------
Illniyar
why is a bug in developer.palm.com opened in mozilla ?

I think I'm missing some context here, what does the last comment mean:

"I will remove this site from the whitelist in the next update."

~~~
wyldfire
Refer to the product identified as having the bug:

> Product: Tech Evangelism

> For reporting web pages that need to be upgraded to support web standards
> and Gecko-based browsers. And for reporting add-ons that exhibit common
> problems that make Firefox run sub-optimally.

It's not clear to me what the whitelist referred to is.

~~~
mcpherrinm
The whitelist was introduced here: [https://hg.mozilla.org/releases/mozilla-
aurora/rev/1e9694bbf...](https://hg.mozilla.org/releases/mozilla-
aurora/rev/1e9694bbffaa)
[https://bugzilla.mozilla.org/show_bug.cgi?id=1128227](https://bugzilla.mozilla.org/show_bug.cgi?id=1128227)

It's described as "TLS Intolerance fallback whitelist". It seems to allow RC4
and SSL3

~~~
yuhong
Background: Servers are supposed to respond to ClientHellos indicating newer
versions of SSL/TLS with a ServerHello indicating the latest version the
server supports. However not all servers did that properly. Thus browsers used
to fall back to ClientHellos indicating old TLS and SSLv3 versions to support
them. In this case, this server incorrectly responded to ClientHellos
indicating SSL/TLS versions other than 1.0 with a SSLv3 ServerHello!

------
yeukhon
Why is this even on the front page? Such a minor issue to me.

~~~
wyldfire
I think some of us HNers might fondly recall the Palm series and nostalgia is
likely responsible for many an upvote.

~~~
yuhong
It was later used for webOS too before it was shut down.

