Closed Bug 1341106 Opened 7 years ago Closed 7 years ago

https://capitolfax.com/ fails to load in ESR 45.7.0 on Windows, Mac, and Linux

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Version:
51 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox-esr45 - wontfix
firefox51 --- unaffected
firefox52 --- unaffected
firefox53 --- unaffected
firefox54 --- unaffected

People

(Reporter: szuta, Unassigned)

References

(
URL
)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20170125094131

Steps to reproduce:

Visit https://capitolfax.com/


Actual results:

URL disappears from the URL bar. Firebug shows 'aborted' response.


Expected results:

Webpage should load (see any other browser, or non-ESR version).
[Tracking Requested - why for this release]:

NS_ERROR_NET_INADEQUATE_SECURITY in 48.0.1, works in 49.0.2 and later, with the issue in 47.0.2 and earlier (including 45.7.0esr). Works in 33.0, 35.0. With the issue in 37.0.2.
URL: https://capitolfax.com/
Status: UNCONFIRMED → NEW
Has STR: --- → yes
status-firefox51: --- → unaffected
status-firefox52: --- → unaffected
status-firefox53: --- → unaffected
status-firefox54: --- → unaffected
status-firefox-esr45: --- → affected
tracking-firefox-esr45: --- → ?
Component: Untriaged → Networking: HTTP
Ever confirmed: true
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
daniel - can you triage this.. HTTP_logging you will get a fine grained reason for inadequate_security. my guess is that its a server bug - negotiating an ilegal h2 suite (and also choosing h2) - and for later revisions we just don't offer the problematic combo in the handshake at all.. that would be INVALID - but maybe its something different.
Flags: needinfo?(daniel)
SSL Labs perfectly identified the issue:
https://dev.ssllabs.com/ssltest/analyze.html?d=capitolfax.com&hideResults=on
> Firefox 47 / Win 7  R		Server negotiated HTTP/2 with blacklisted suite
> RSA 2048 (SHA256)   |  TLS 1.2  |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1 

Because this server prefers some blacklisted cipher suites over AES_128_GCM_SHA256, the connection fails. (Yet another example of "256-bit is always better than 128-bit" myth.) Firefox added support for TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.

Unfortunately, it is very unlikely that we backport AES_256_GCM_SHA384 to ESR.
thanks emk.going to close this one as INVALID based on server behavior.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(daniel)
Resolution: --- → INVALID
esr 45 is dead, please use esr 52
status-firefox-esr45: affectedwontfix
tracking-firefox-esr45: ?-
You need to log in before you can comment on or make changes to this bug.