Closed
Bug 1042380
Opened 11 years ago
Closed 10 years ago
T-Mobile's customer website login is broken without SSL3: ssl_error_no_cypher_overlap on https://tmobile.ecustomersupport.com
Categories
(Web Compatibility :: Site Reports, defect)
Web Compatibility
Site Reports
Tracking
(firefox33 unaffected, firefox34 verified, firefox35 verified, firefox36 verified)
RESOLVED
FIXED
Nov
| Tracking | Status | |
|---|---|---|
| firefox33 | --- | unaffected |
| firefox34 | --- | verified |
| firefox35 | --- | verified |
| firefox36 | --- | verified |
People
(Reporter: keeler, Unassigned)
References
Details
(Others might have to be signed in/have a t-mobile account to reproduce this.) When I was re-filling my account using Nightly (34), I encountered ssl_error_no_cypher_overlap when connecting to https://tmobile.ecustomersupport.com. Their site has been flaky on Nightly before, so it may just be them doing some user agent sniffing and then making poor decisions, but it might also be due to us retiring some cipher suites recently.
|
||
Comment 1•11 years ago
|
||
https://www.ssllabs.com/ssltest/analyze.html?d=tmobile.ecustomersupport.com
Only supports SSL3 with:
TLS_RSA_WITH_RC4_128_MD5 (0x4) 128
TLS_RSA_WITH_RC4_128_SHA (0x5) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
SSL setup for that server appears to be horrible. Only SSL3; no TLS at all. I reproduced the error accidentally as I had SSL3 disabled. (it's currently under consideration for default disable: bug 1042811) If you have it off too, that'll do it.
Note that according to this test, IE 11 on Win 8.1 cannot connect to the site at all.
|
||
Comment 2•10 years ago
|
||
FWIW, I tried to ping T-Mobile Support: https://twitter.com/cpeterso/status/526613217368231936
|
|
||
Comment 3•10 years ago
|
||
[Tracking Requested - why for this release]:
T-Mobile's customer website login is broken without SSL3. This is fallout from Mozilla disabling SSL3 to protect against the POODLE attack.
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
status-firefox33:
--- → unaffected
status-firefox34:
--- → affected
status-firefox35:
--- → affected
status-firefox36:
--- → affected
tracking-firefox34:
--- → ?
Component: Security: PSM → Desktop
Product: Core → Tech Evangelism
Summary: ssl_error_no_cypher_overlap on https://tmobile.ecustomersupport.com → T-Mobile's customer website login is broken without SSL3: ssl_error_no_cypher_overlap on https://tmobile.ecustomersupport.com
Target Milestone: --- → Nov
|
||
Updated•10 years ago
|
Blocks: POODLEBITE
|
||
Comment 5•10 years ago
|
||
I'm not tracking this for 34 as there will be a number of sites impacted and we need to deal with as many as possible. That effort will happen separately from release tracking.
tracking-firefox34:
? → ---
So, I hit the SSL Labs test link out of curiosity, and I got:
Protocols
TLS 1.2 No
TLS 1.1 No
TLS 1.0 Yes
SSL 3 No
SSL 2 No
So... I guess that means this is fixed.
Also no problems w/ SSL on connecting to the site, apart from the fact that I get a 0 byte page at the moment.
|
|
||
Comment 7•10 years ago
|
||
Thanks for checking, nemo. I can now log into my T-Mobile account with Firefox 33, Beta 34, Aurora 35, and Nightly 36.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
|
||
Comment 9•10 years ago
|
||
Reopening. If this was fixed, it isn't anymore.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Comment 10•10 years ago
|
||
To clarify the problem now: T-Mobile's customer service site is broken with current stable Firefox. The tmobile.ecustomersupport.com domain is still/again SSL3-only. Tested with Firefox 34.0.5 as well as Firefox 31.3.0 ESR.
|
||
Comment 11•10 years ago
|
||
Fixed again now.
|
|
||
Comment 12•10 years ago
|
||
https://www.ssllabs.com/ssltest/analyze.html?d=tmobile.ecustomersupport.com
New current setup appears to be TLS 1.0 only with:
TLS_RSA_WITH_RC4_128_MD5 (0x4) 128
TLS_RSA_WITH_RC4_128_SHA (0x5) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) 112
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) 256
Still fairly pathetic, but should work now if they don't regress yet again. It would be nice if someone could get in touch with someone responsible on their end to get them to fix this. RC4 is on it's way to banning too, and of course not supporting anything other than TLS 1.0 from 1999 is fairly sad.
Side note: The developer of SSL Labs has told me that they're fixing their scanner in an update next week so that it won't somehow give a passing grade to SSL3-only sites that don't even work.
I guess I'll close this again, unless there are any objections.
Status: REOPENED → RESOLVED
Closed: 10 years ago → 10 years ago
Resolution: --- → FIXED
| Comment hidden (off-topic) |
| Comment hidden (off-topic) |
| Comment hidden (off-topic) |
| Comment hidden (off-topic) |
|
Assignee | |
Updated•6 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•