Closed Bug 1079596 Opened 10 years ago Closed 9 years ago

bugzfeed seems broken

Categories

(bugzilla.mozilla.org Graveyard :: Bugzilla Change Notification System, defect)

Product:
bugzilla.mozilla.org Graveyard
Component:
Bugzilla Change Notification System
Version:
Production
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jstevensen, Unassigned)

References

Details

http://bugzfeed.mozilla.org/

says: "Can "Upgrade" only to "WebSocket"."
Assignee: glob → mcote
Also recommend improving TLS configuration while you're at it.

https://www.ssllabs.com/ssltest/analyze.html?d=bugzfeed.mozilla.org

Does this instance have "automatic updates" enabled? If those aren't dangerous, we recommend doing.
I have to say: this is probably the most broken SSL configuration I've seen in a very long time... Would you care to share how this is currently terminated?

    $ ./cipherscan bugzfeed.mozilla.org
    ..............
    prio  ciphersuite      protocols  pfs_keysize
    1     AES256-SHA       SSLv3
    2     CAMELLIA256-SHA  SSLv3
    3     AES128-SHA       SSLv3
    4     SEED-SHA         SSLv3
    5     CAMELLIA128-SHA  SSLv3
    6     IDEA-CBC-SHA     SSLv3
    7     RC4-SHA          SSLv3
    8     RC4-MD5          SSLv3
    9     DES-CBC3-SHA     SSLv3
    10    DES-CBC-SHA      SSLv3
    11    EXP-DES-CBC-SHA  SSLv3      RSA,512bits
    12    EXP-RC2-CBC-MD5  SSLv3      RSA,512bits
    13    EXP-RC4-MD5      SSLv3      RSA,512bits

    Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature
    TLS ticket lifetime hint: None
    OCSP stapling: not supported
    Client side cipher ordering

Please refer to this page to implement a proper TLS configuration.
https://wiki.mozilla.org/Security/Server_Side_TLS
Since you enforce websockets, I would recommend using the Modern configuration. You won't need support for old clients anyway.

Happy to help if needed.
this is a temporary deployment until bug 952881 is fixed (ie. it's quick and dirty).
i was expecting a much quicker turn around in getting this deployed internally :(


(In reply to Joe Stevensen [:joes] from comment #1)
> Does this instance have "automatic updates" enabled? If those aren't
> dangerous, we recommend doing.

if you mean operating-system level updates: yes.

(In reply to Julien Vehent [:ulfr] (use needinfo) from comment #2)
> I have to say: this is probably the most broken SSL configuration I've seen
> in a very long time... Would you care to share how this is currently
> terminated?

it's terminated by stunnel using the defaults, which evidently is SSLv3.
(a quick reconfiguration happens)
i've bumped the protocol version up from SSLv3 to TLSv1 (the highest supported).
Component: General → Bugzilla Change Notification System
Status: NEW → ASSIGNED
Ping so this doesn't fall to far off the radar.
(In reply to Julien Vehent [:ulfr] (use needinfo) from comment #4)
> Ping so this doesn't fall to far off the radar.

you probably want to ping bug 952881 to get bugzfeed deployed correctly, instead of this one.
Byron/Mark,

We really need someone to take action on this bug. Can someone please take this? If this is isn't a priority, I'm going to recommend that we shut the site down.
Flags: needinfo?(mcote)
(In reply to Joe Stevensen [:joe] from comment #6)
> We really need someone to take action on this bug. Can someone please take
> this? If this is isn't a priority, I'm going to recommend that we shut the
> site down.

i've turned off the ssl endpoint, and will poke bug 952881 again.
Flags: needinfo?(mcote)
See Also: → 1190467
(Copying & expanding on bug 952881 comment 29)

ulfr: as per bug 952881 comment 20, you said this is now much better, aside from RC4-SHA being enabled.  Since this is managed by Heroku I don't believe I can disable this protocol.  Is the situation acceptable regardless?
Flags: needinfo?(jvehent)
Yep, it looks fancy now. And RC4 is disabled :)

$ ./cipherscan bugzfeed.mozilla.org
.....................
Target: bugzfeed.mozilla.org:443

prio  ciphersuite                  protocols              pfs                 curves
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits  prime256v1
2     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits  prime256v1
3     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
4     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits  prime256v1
5     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits  prime256v1
6     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
7     AES128-GCM-SHA256            TLSv1.2                None                None
8     AES128-SHA256                TLSv1.2                None                None
9     AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
10    AES256-GCM-SHA384            TLSv1.2                None                None
11    AES256-SHA256                TLSv1.2                None                None
12    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
13    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2  None                None

Certificate: trusted, 2048 bits, sha256WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: not supported
Cipher ordering: server
Curves ordering: server - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jvehent)
Resolution: --- → FIXED
Oh nice, I guess Heroku updated their SSL settings. :)
Product: bugzilla.mozilla.org → bugzilla.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.