Closed
Bug 1133312
Opened 10 years ago
Closed 10 years ago
https://www.licadho-cambodia.org - worked fine, now throws a ssl_error_no_cypher_overlap error
Categories
(Web Compatibility :: Desktop, defect)
Tracking
(firefox38 affected)
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox38 | --- | affected |
People
(Reporter: nirvn.asia, Unassigned)
References
()
Details
(Keywords: regression)
Visit https://www.licadho-cambodia.org/, you'll be seeing under the latest nightly builds an error with the following code: ssl_error_no_cypher_overlap .
I'm not sure what's happening here. It used to work I'd say roughly 2 weeks ago. Visiting the HTTPS site on Chromium works fine.
Reporter | ||
Comment 1•10 years ago
|
||
I did run a Qualys SSL Labs server test (https://www.ssllabs.com/ssltest/analyze.html?d=licadho-cambodia.org&latest), and couldn't see anything in the report that'd prevent the connection from happening.
Comment 2•10 years ago
|
||
(In reply to Mathieu Pellerin from comment #1)
> I did run a Qualys SSL Labs server test
> (https://www.ssllabs.com/ssltest/analyze.html?d=licadho-cambodia.org&latest),
> and couldn't see anything in the report that'd prevent the connection from
> happening.
Probably "This server accepts the RC4 cipher, which is weak." and "SSL 2 support"
Blocks: TLS-Intolerance
status-firefox37:
--- → unaffected
status-firefox38:
--- → affected
Component: Security → Desktop
Keywords: regression
Product: Core → Tech Evangelism
Updated•10 years ago
|
status-firefox37:
unaffected → ---
Comment 3•10 years ago
|
||
The page is not TLS1.1/1.2 intolerant but offers only RC4 and Camellia ciphers.
Camellia got disabled with bug 1036765
RC4 for servers with TLS1.1/TLS1.2 got disabled with bug 1124039 and that broke this server.
The result is that there are no available ciphers for a handshake and the error message makes sense : ssl_error_no_cypher_overlap
Comment 4•10 years ago
|
||
Actually, because of bug 1084025, I think RC4 is completely disabled by default after bug 1124039.
Comment 5•10 years ago
|
||
Enabling fallback (or whitelisting the site) didn't help because this site supports fallback SCSV.
Reporter | ||
Comment 6•10 years ago
|
||
So, is this a case that should be allowed by Firefox, and some determination logic needs to be added (as a follow up to bug 1124039), or is this site not working the intended behavior?
Comment 7•10 years ago
|
||
In a way, it is the intended behavior, yes. The site should support something secure and supported by browsers.
That said, I'll backout bug 1124039 for now because users would have no workaround until the site is fixed.
Updated•10 years ago
|
Summary: An https website worked fine, now throws a ssl_error_no_cypher_overlap error → https://www.licadho-cambodia.org - worked fine, now throws a ssl_error_no_cypher_overlap error
Comment 8•10 years ago
|
||
Bug 1124039 has been backed out, but please keep this bug open because the site has to be fixed anyway.
Reporter | ||
Comment 9•10 years ago
|
||
Masatoshi, I'm the webmaster running the above-mentioned site, so the tech evangelism work won't be very difficult :)
I think the issue here is probably not affecting only one site. I purchased the SSL certificate from comoto less than a year ago, so it's safe to assume others will have similar cypher settings.
That said, it seems that the situation here highlights an issue vis-a-vis the whitelist, i.e. there's no way I can whitelist the site and access it (prior to you backing out bug 1124039). That seems to me worth addressing in any case.
Reporter | ||
Comment 10•10 years ago
|
||
Also, if the error is indeed the intended behavior in the near future, it would be worth contacting the SSL Labs guys for them to detect this situation and output a loud "your site won't work with Firefox as of version XX" message.
Comment 11•10 years ago
|
||
(In reply to Mathieu Pellerin from comment #9)
> Masatoshi, I'm the webmaster running the above-mentioned site, so the tech
> evangelism work won't be very difficult :)
Good to know :)
If your web server supports TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, I strongly recommend to enable them. If not, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA or TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (or AES_256 variants of them) will work. If none supported, TLS_RSA_WITH_AES_128_CBC_SHA would be the last resort (which is the TLS 1.2 mandatory cipher suites).
(In reply to Mathieu Pellerin from comment #10)
> Also, if the error is indeed the intended behavior in the near future, it
> would be worth contacting the SSL Labs guys for them to detect this
> situation and output a loud "your site won't work with Firefox as of version
> XX" message.
I guess the "Handshake Simulation" section will indicate the failure once Firefox 37 is released.
Reporter | ||
Comment 12•10 years ago
|
||
Masatoshi, how would I activate any of those via my hosting company (hostmonster.com)'s cpanel administration tool?
Comment 13•10 years ago
|
||
Sorry, I don't know about the admin interface of individual hosting companies. Could you ask hostmonster support?
Comment 14•10 years ago
|
||
(In reply to Masatoshi Kimura [:emk] from comment #11)
> (In reply to Mathieu Pellerin from comment #9)
> > Masatoshi, I'm the webmaster running the above-mentioned site, so the tech
> > evangelism work won't be very difficult :)
>
> Good to know :)
> If your web server supports TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, I strongly recommend to enable
> them. If not, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA or
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (or AES_256 variants of them) will work.
> If none supported, TLS_RSA_WITH_AES_128_CBC_SHA would be the last resort
> (which is the TLS 1.2 mandatory cipher suites).
Note that the ECDSA cipher suites also requires an ECDSA certificate.
Updated•10 years ago
|
Blocks: RC4-Dependence
Comment 15•10 years ago
|
||
Mathieu, have you tried to ask the support? This will affect all hostmonster customers.
Flags: needinfo?(nirvn.asia)
Reporter | ||
Comment 16•10 years ago
|
||
Masatoshi, I've tried but without great success... customer support isn't very responsive.
I was going to open a new bug on this, since as of today, I can't even log into the hostmonster's customer administration section (i.e., the cpanel section once a customer logs in from this page https://my.hostmonster.com/web-hosting/cplogin ). That's a pretty serious issue, whereas all hostmonster customers will be locked out of their administration panel unless they switch to a different browser :/
Flags: needinfo?(nirvn.asia)
Comment 17•10 years ago
|
||
Could you paste content of Browser Console when you tried to login? (Press Ctrl+Shift+J to open Browser Console.)
Comment 18•10 years ago
|
||
Mathieu, please try comment #16. And please clear the cache before trying because the console will not display the warning because the resource is already in the cache.
I can't add the exception without knowing the problematic hostname. my.hostmonster.com supports TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
Flags: needinfo?(nirvn.asia)
Comment 19•10 years ago
|
||
> please try comment #16
Sorry, comment #17.
Reporter | ||
Comment 20•10 years ago
|
||
Masatoshi, hostmonster.com is fixed now.
As for https://www.licadho-cambodia.org/, it's still broken, yet I can't see any cypher-related entry in the web console when accessing the site. Should there be something there or not?
Flags: needinfo?(nirvn.asia)
Assignee | ||
Updated•6 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•