Closed
Bug 1112178
Opened 10 years ago
Closed 8 years ago
www.boostmobilesales.com is RC4 only
Categories
(Web Compatibility :: Site Reports, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: u123541, Unassigned)
References
()
Details
(Whiteboard: [sitewait])
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Build ID: 20141216030203 Steps to reproduce: Opening new bug as requested in bug 1096395 comment 4: > Could you provide the public portions of the certificate in question? Instructions for doing this? Looked in about:, .mozilla/* and googled... Prefs->Advanced->Certificates: Your Certificates: empty People: empty Servers: nothing related to boostmobile.com Authorities: nothing obvious Others: HP AiO printer stuff only > Does this work in beta? ( https://beta.mozilla.org/ ) No. Beta is what I always run as my main browser, with FF34/Wine as alternate. Actual results: Tried to login to MyAccount on http://boostmobile.com -- last time I logged in was probably 6-10 weeks ago. Login works when using FF34.0.5/Wine. Expected results: Successful login was expected. Reported issue to BoostMobile as early warning since it works with production FF.
The failure dialog has a Learn More... link which is not helpful for debugging. Its "Report" button doesn't seem to do anything when clicked.
Pierre, what is the url that's failing? (i.e. copy/paste the contents of the location bar on the page you see the 'secure connection failed' error on) Also, if you're curious, one way to get a copy of the certificate that's failing is to use wireshark to capture packets from the failed connection. Let me know if you want more details on that.
Flags: needinfo?(pf)
Thanks, Pierre. This appears to be a fallback/TLS intolerance issue. If I set security.tls.version.fallback-limit to 1 (instead of the default 3), the page loads. :emk, any ideas?
Flags: needinfo?(VYV03354)
Summary: secure connection failed → myaccount.boostmobile.com is TLS-intolerant or security.tls.version.fallback-limit doesn't work as expected
Hiding potentially personally-identifiable/sensitive information (I don't think anything sensitive was available, but just in case).
Comment 6•10 years ago
|
||
Firefox 34 fails to connect if I set security.tls.version.fallback-limit to 3. So the RC4 fallback is ruled out. Interestingly, ssllabs' handshake simulation indicates Firefox 31.3.0 ESR / Win 7 and Firefox 34 / OS X will fail to connect (the handshake simulation doesn't implement the fallback). https://www.ssllabs.com/ssltest/analyze.html?d=myaccount.boostmobile.com Maybe the site dislikes something in our ClientHello?
Flags: needinfo?(VYV03354)
Comment 7•10 years ago
|
||
I can connect if I set security.tls.version.fallback-limit to 3 *and* security.tls.version.min to 0. That is, this site will negotiate with TLS 1.0 if the ClientHello version is TLS 1.0 while it will negotiate with SSL 3.0 if the ClientHello version is TLS 1.2. Bug 1085138 comment #4 and onwards mentioned some other instance of those sites.
Updated•10 years ago
|
Component: Untriaged → Security: PSM
Product: Firefox → Core
Updated•10 years ago
|
Component: Security: PSM → Desktop
Product: Core → Tech Evangelism
Summary: myaccount.boostmobile.com is TLS-intolerant or security.tls.version.fallback-limit doesn't work as expected → myaccount.boostmobile.com is TLS-intolerant (1.0 works, 1.1 and 1.2 don't)
Version: 37 Branch → unspecified
Comment 8•9 years ago
|
||
Looks like myaccount.boostmobile.com has been fixed. But the redirect target, www.boostmobilesales.com, is still broken (RC4 only).
Summary: myaccount.boostmobile.com is TLS-intolerant (1.0 works, 1.1 and 1.2 don't) → www.boostmobilesales.com is RC4 only
Updated•9 years ago
|
Blocks: RC4-Dependence
Comment 9•9 years ago
|
||
If we're going to contact them, here are some possible contact points: Twitter: https://twitter.com/boostmobile Google+: https://plus.google.com/+boostmobile Facebook: https://m.facebook.com/boostmobile Contactlink: http://www.boostmobile.com/support/contact-customer-service/ BTW a direct link for analysing the boostmobilesales.com domain is https://www.ssllabs.com/ssltest/analyze.html?d=boostmobilesales.com I'll send them a tweet.
Updated•9 years ago
|
Whiteboard: [sitewait]
Comment 10•9 years ago
|
||
A response from customer service at least: https://twitter.com/BoostCare/status/652102371724652544
Comment 11•8 years ago
|
||
Looks like this is fixed now.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•5 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•