FF 34.RC1 Buil Id: 20141125180439 OS: Win 7 x64, Ubuntu 14.04 x64, Mac Os 10.9.5 STR: 1. Open https://www.mozilla.org/en-US/firefox/34.0/firstrun/ Issue: The following security errors are logged in the browser console: cdn.optimizely.com : server does not support RFC 5746, see CVE-2009-3555 cdn3.optimizely.com : server does not support RFC 5746, see CVE-2009-3555
Assignee: nobody → server-ops
Component: General → Server Operations
Product: Firefox → mozilla.org
QA Contact: shyam
Version: 34 Branch → other
Isn't this a web team thing? Alex, who controls the references to optimizely, and can we fix this and/or evangelize with them so they fix it? :-)
Looks like this security error happens on every page on mozilla.org when the Optimizely script is included (which is currently every page, since it's in the base template). Cc'ing cmore - Chris, can you speak to someone at Optimizely to see if they can fix this on their server?
Flags: needinfo?(agibson) → needinfo?(chrismore.bugzilla)
Assignee: server-ops → nobody
Component: Server Operations → Analytics
Product: mozilla.org → www.mozilla.org
QA Contact: shyam
Version: other → Production
I've moved this to the correct product and I have contacted Optimizely support to see what they suggest.
Will update after I hear from them.
Summary: A security error is logged in browser console when opening the mozilla firstrun page. → A security error is logged in browser console when opening any mozilla.org web page.
I've talked to Optimizely, they are able to replicate the problem and have opened a ticket with their webops team.
Note that as of Bug 1107952 we are no longer including Optimizely on every page on mozilla.org, and are instead enabling it on specific pages when required using a Waffle flag. This bug can still be observed at the following URL where Optimizely is currently running: https://www.mozilla.org/en-US/firefox/new/ Error: 'cdn3.optimizely.com : server does not support RFC 5746, see CVE-2009-3555'
Here's the response from Optimizely: ---- We are still waiting on one of our CDN providers to confirm about whether they have SSLv3 turned off on their end. Another provider, Edgecast, confirmed that this is due to SSLv3 being turned off at their end. The Poodle SSL vulnerability from a while ago has no patch as of yet and the work around recommended was to turn off SSLv3. We did this with our ELBs too and Edgecast has done so as well. So, from what we can tell, a security "Fix" is causing this symptom. It looks like there isn't a way client side (like in Firefox) to test if server-initiated renegotiation is disabled or vulnerable, which is why Firefox shows this issue even if it is mitigated, so it appears to be a false positive. I hope this helps! Please let me know if you have any other questions or want further clarification. ----
Summary: A security error is logged in browser console when opening any mozilla.org web page. → A security error is logged in browser console when opening some mozilla.org web page.
This looks like it is closed.
Status: NEW → RESOLVED
Last Resolved: 2 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.