Closed
Bug 1079596
Opened 10 years ago
Closed 9 years ago
bugzfeed seems broken
Categories
(bugzilla.mozilla.org Graveyard :: Bugzilla Change Notification System, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jstevensen, Unassigned)
References
Details
http://bugzfeed.mozilla.org/ says: "Can "Upgrade" only to "WebSocket"."
Reporter | ||
Updated•10 years ago
|
Assignee: glob → mcote
Reporter | ||
Comment 1•10 years ago
|
||
Also recommend improving TLS configuration while you're at it. https://www.ssllabs.com/ssltest/analyze.html?d=bugzfeed.mozilla.org Does this instance have "automatic updates" enabled? If those aren't dangerous, we recommend doing.
Comment 2•10 years ago
|
||
I have to say: this is probably the most broken SSL configuration I've seen in a very long time... Would you care to share how this is currently terminated? $ ./cipherscan bugzfeed.mozilla.org .............. prio ciphersuite protocols pfs_keysize 1 AES256-SHA SSLv3 2 CAMELLIA256-SHA SSLv3 3 AES128-SHA SSLv3 4 SEED-SHA SSLv3 5 CAMELLIA128-SHA SSLv3 6 IDEA-CBC-SHA SSLv3 7 RC4-SHA SSLv3 8 RC4-MD5 SSLv3 9 DES-CBC3-SHA SSLv3 10 DES-CBC-SHA SSLv3 11 EXP-DES-CBC-SHA SSLv3 RSA,512bits 12 EXP-RC2-CBC-MD5 SSLv3 RSA,512bits 13 EXP-RC4-MD5 SSLv3 RSA,512bits Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature TLS ticket lifetime hint: None OCSP stapling: not supported Client side cipher ordering Please refer to this page to implement a proper TLS configuration. https://wiki.mozilla.org/Security/Server_Side_TLS Since you enforce websockets, I would recommend using the Modern configuration. You won't need support for old clients anyway. Happy to help if needed.
this is a temporary deployment until bug 952881 is fixed (ie. it's quick and dirty). i was expecting a much quicker turn around in getting this deployed internally :( (In reply to Joe Stevensen [:joes] from comment #1) > Does this instance have "automatic updates" enabled? If those aren't > dangerous, we recommend doing. if you mean operating-system level updates: yes. (In reply to Julien Vehent [:ulfr] (use needinfo) from comment #2) > I have to say: this is probably the most broken SSL configuration I've seen > in a very long time... Would you care to share how this is currently > terminated? it's terminated by stunnel using the defaults, which evidently is SSLv3. (a quick reconfiguration happens) i've bumped the protocol version up from SSLv3 to TLSv1 (the highest supported).
Component: General → Bugzilla Change Notification System
Reporter | ||
Updated•10 years ago
|
Status: NEW → ASSIGNED
Comment 4•10 years ago
|
||
Ping so this doesn't fall to far off the radar.
(In reply to Julien Vehent [:ulfr] (use needinfo) from comment #4) > Ping so this doesn't fall to far off the radar. you probably want to ping bug 952881 to get bugzfeed deployed correctly, instead of this one.
Reporter | ||
Comment 6•9 years ago
|
||
Byron/Mark, We really need someone to take action on this bug. Can someone please take this? If this is isn't a priority, I'm going to recommend that we shut the site down.
Flags: needinfo?(mcote)
(In reply to Joe Stevensen [:joe] from comment #6) > We really need someone to take action on this bug. Can someone please take > this? If this is isn't a priority, I'm going to recommend that we shut the > site down. i've turned off the ssl endpoint, and will poke bug 952881 again.
Flags: needinfo?(mcote)
Assignee | ||
Comment 8•9 years ago
|
||
(Copying & expanding on bug 952881 comment 29) ulfr: as per bug 952881 comment 20, you said this is now much better, aside from RC4-SHA being enabled. Since this is managed by Heroku I don't believe I can disable this protocol. Is the situation acceptable regardless?
Flags: needinfo?(jvehent)
Comment 9•9 years ago
|
||
Yep, it looks fancy now. And RC4 is disabled :) $ ./cipherscan bugzfeed.mozilla.org ..................... Target: bugzfeed.mozilla.org:443 prio ciphersuite protocols pfs curves 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v1 2 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v1 3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1 4 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v1 5 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v1 6 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1 7 AES128-GCM-SHA256 TLSv1.2 None None 8 AES128-SHA256 TLSv1.2 None None 9 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None 10 AES256-GCM-SHA384 TLSv1.2 None None 11 AES256-SHA256 TLSv1.2 None None 12 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None 13 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 None None Certificate: trusted, 2048 bits, sha256WithRSAEncryption signature TLS ticket lifetime hint: 300 OCSP stapling: not supported Cipher ordering: server Curves ordering: server - fallback: no Server supports secure renegotiation Server supported compression methods: NONE TLS Tolerance: yes
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jvehent)
Resolution: --- → FIXED
Assignee | ||
Comment 10•9 years ago
|
||
Oh nice, I guess Heroku updated their SSL settings. :)
Updated•5 years ago
|
Product: bugzilla.mozilla.org → bugzilla.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•