Closed
Bug 1341106
Opened 7 years ago
Closed 7 years ago
https://capitolfax.com/ fails to load in ESR 45.7.0 on Windows, Mac, and Linux
Categories
(Core :: Networking: HTTP, defect)
Tracking
()
RESOLVED
INVALID
Tracking | Status | |
---|---|---|
firefox-esr45 | - | wontfix |
firefox51 | --- | unaffected |
firefox52 | --- | unaffected |
firefox53 | --- | unaffected |
firefox54 | --- | unaffected |
People
(Reporter: szuta, Unassigned)
References
()
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 Firefox/51.0 Build ID: 20170125094131 Steps to reproduce: Visit https://capitolfax.com/ Actual results: URL disappears from the URL bar. Firebug shows 'aborted' response. Expected results: Webpage should load (see any other browser, or non-ESR version).
[Tracking Requested - why for this release]: NS_ERROR_NET_INADEQUATE_SECURITY in 48.0.1, works in 49.0.2 and later, with the issue in 47.0.2 and earlier (including 45.7.0esr). Works in 33.0, 35.0. With the issue in 37.0.2.
Status: UNCONFIRMED → NEW
Has STR: --- → yes
status-firefox51:
--- → unaffected
status-firefox52:
--- → unaffected
status-firefox53:
--- → unaffected
status-firefox54:
--- → unaffected
status-firefox-esr45:
--- → affected
tracking-firefox-esr45:
--- → ?
Component: Untriaged → Networking: HTTP
Ever confirmed: true
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
Comment 2•7 years ago
|
||
daniel - can you triage this.. HTTP_logging you will get a fine grained reason for inadequate_security. my guess is that its a server bug - negotiating an ilegal h2 suite (and also choosing h2) - and for later revisions we just don't offer the problematic combo in the handshake at all.. that would be INVALID - but maybe its something different.
Flags: needinfo?(daniel)
Comment 3•7 years ago
|
||
SSL Labs perfectly identified the issue: https://dev.ssllabs.com/ssltest/analyze.html?d=capitolfax.com&hideResults=on > Firefox 47 / Win 7 R Server negotiated HTTP/2 with blacklisted suite > RSA 2048 (SHA256) | TLS 1.2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1 Because this server prefers some blacklisted cipher suites over AES_128_GCM_SHA256, the connection fails. (Yet another example of "256-bit is always better than 128-bit" myth.) Firefox added support for TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. Unfortunately, it is very unlikely that we backport AES_256_GCM_SHA384 to ESR.
Comment 4•7 years ago
|
||
thanks emk.going to close this one as INVALID based on server behavior.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(daniel)
Resolution: --- → INVALID
Comment 5•7 years ago
|
||
esr 45 is dead, please use esr 52
You need to log in
before you can comment on or make changes to this bug.
Description
•