Closed
Bug 1135666
Opened 10 years ago
Closed 10 years ago
AliExpress/Alibaba login.aliexpress.com is (mostly) RC4 only
Categories
(Web Compatibility :: Desktop, defect)
Web Compatibility
Desktop
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: shane.bundy, Unassigned)
References
()
Details
(Whiteboard: [contactready])
Attachments
(1 file)
(deleted),
image/png
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150221095252
Steps to reproduce:
1. Went to AliExpress
2. Clicked to sign in
Actual results:
An error pages with code "ssl_error_no_cypher_overlap" is given despite the fact the cipher is supported in Firefox.
Expected results:
Open as expected.
Reporter | ||
Updated•10 years ago
|
Hardware: x86 → x86_64
Comment 1•10 years ago
|
||
https://www.ssllabs.com/ssltest/analyze.html?d=login.aliexpress.com :
> Cipher Suites (sorted by strength; the server has no preference)
> TLS_RSA_WITH_RC4_128_SHA (0x5)
Blocks: 1124039
Status: UNCONFIRMED → NEW
Component: Untriaged → Desktop
Ever confirmed: true
OS: Windows 8.1 → All
Product: Firefox → Tech Evangelism
Hardware: x86_64 → All
Summary: Logging into AliExpress/Alibaba gives ssl_error_no_cypher_overlap → AliExpress/Alibaba login.aliexpress.com is RC4 only
Version: Trunk → unspecified
Reporter | ||
Comment 2•10 years ago
|
||
I was waiting for that SSL Labs page to be linked.
Updated•10 years ago
|
Blocks: RC4-Dependence
Comment 3•10 years ago
|
||
(In reply to Shane Bundy from comment #2)
> Created attachment 8570960 [details]
> RC4maybeButAESyes.png
>
> I was waiting for that SSL Labs page to be linked.
Hmm, yes. Something else is going on as well.
Most of the time, the handshake simulation section is just this:
> TLS 1.0 TLS_RSA_WITH_RC4_128_SHA (0x5)
But clear the cache and keep trying, and one or more non-RC4 suites will be used for a select few randomised cases:
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
> TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
However, sometimes the HTTP server signature is "Apache", sometimes it's "Unknown", and sometimes something that starts with T, even for the same IPs (load balancer?).
Summary: AliExpress/Alibaba login.aliexpress.com is RC4 only → AliExpress/Alibaba login.aliexpress.com is (mostly) RC4 only
Updated•10 years ago
|
Whiteboard: [contactready]
Comment 4•10 years ago
|
||
FWIW I can now connect successfully with TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 on Aurora 38.
The Handshake Simluation sections in https://www.ssllabs.com/ssltest/analyze.html?d=login.aliexpress.com are also now populated with a lot more non-RC4 suites (the HTTP server signature I got every time I tried over the past few days was "Tengine").
Not sure if this means Alibaba has fixed all of the servers that seem to serve the URL though.
Reporter | ||
Comment 6•10 years ago
|
||
The issue seems to have been resolved. Alibaba have always had non-RC4 ciphers on offer but Firefox was mostly refusing to use them on first, and subsequent, loads.
It still would be nice if RC4 would just die already. :)
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(shane.bundy)
Resolution: --- → WORKSFORME
I'm still facing it in Firefox 44.0b4. Very rare cases when it would load, otherwise it is the same error.
Somehow works in Developer edition :|
Assignee | ||
Updated•6 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•