Closed Bug 1108677 Opened 10 years ago Closed 9 years ago

blog.blockchain.com generates inappropriate_fallback alert

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: mt, Unassigned)

References

(Depends on 1 open bug,
URL
)

Details

https://blog.blockchain.com/ triggers fallback from TLS 1.2 due to a name failure.

    TLSv1.2 Record Layer: Alert (Level: Warning, Description: Unrecognized Name)
        Content Type: Alert (21)
        Version: TLS 1.2 (0x0303)
        Length: 2
        Alert Message
            Level: Warning (1)
            Description: Unrecognized Name (112)
    TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
        Content Type: Alert (21)
        Version: TLS 1.2 (0x0303)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Handshake Failure (40)

The subsequent TLS 1.1 handshake fails with a fatal inappropriate_fallback alert.

The site is not present on HTTPS, likely because a certificate hasn't been provisioned, but we report a fairly cryptic (and scary) message when the connection fails.

This appears to be an error in how we report problems, and it may be something we could improve the reporting on.  Starting with bug 1075167 is probably the best thing.

Ultimately, we might want to consider integrating warning alerts into the process of determining what error to report, but for cases like this, it's probably not going to have that big a return on investment.
Work for me. The site fixed the issue?
Still failing for me.  Perhaps we are hitting different instances.  I have 50.87.196.92, is yours being served from a different IP?
(In reply to Martin Thomson [:mt] from comment #2)
> Still failing for me.  Perhaps we are hitting different instances.  I have
> 50.87.196.92, is yours being served from a different IP?

50.87.196.92, the same IP address.
Is this still an issue? This WFM for me on Aurora 38 with fallbacks disabled.
Flags: needinfo?(martin.thomson)
Yes, WFM now too.  The server now supports the fallback SCSV, so they must have updated.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(martin.thomson)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.