Closed
Bug 1120887
Opened 11 years ago
Closed 11 years ago
Can't connect to www.esurv.uksv.net with SSL3 disabled
Categories
(Web Compatibility :: Site Reports, defect)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: mhaigh, Unassigned)
References
()
Details
Steps to reproduce:
try to access
https://www.esurv.uksv.net/
Actual results:
Secure Connection Failed
An error occurred during a connection to www.esurv.uksv.net. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem.
Expected results:
page should have opened, it works in Chrome 39
|
||
Comment 1•11 years ago
|
||
FWIW, I can connect to this site using Aurora 37 and IE11 if I enable SSL3 for both, but not if I disable SSL3. So this might be a Tech Evangelism issue.
Unfortunately, https://www.ssllabs.com/ssltest/analyze.html?d=esurv.uksv.net gives "Unexpected failure" for 91.207.110.119, and "No secure protocols supported" for 91.207.110.65...
|
||
Comment 2•11 years ago
|
||
fwiw I'm not able to reproduce with https://www.esurv.uksv.net/ in the latest Nightly. I get a similar issue with an internal HTTPS website. The url is https://campus1.iitd.ac.in/psp/hcmprod1/EMPLOYEE/HRMS/?cmd=logout. Let me know if I can provide any other information which can help debug and fix this issue. For me that internal websites opens on Chrome.
|
|
||
Comment 3•11 years ago
|
||
Hi,
i get the same error for a different public url.
https://products.geotrust.com/orders/A.do?p=XX
The error does not happen with FF35 + FF36.0b3
The error does not happen with Chromium40
The error does happen with both 37.0a2 (from debian) + nightly downloaded today 2015-01-26
Ciphersuites offered by server according to: https://www.ssllabs.com/ssltest/analyze.html?d=products.geotrust.com
TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 112
And those for i.e. Iceweasel 37.0a2 as of: https://www.ssllabs.com/ssltest/viewMyClient.html for iceweasel 37.0a2
https://www.ssllabs.com/ssltest/viewMyClient.html for iceweasel 37.0a2
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Forward Secrecy 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) Forward Secrecy 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) Forward Secrecy 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
So both 0x2f + 0x35 are in both lists so i would have expected the connection to work.
Note: The working Chromium40 does report TLS1.0, RC4_128, SHA1 for message authentication and RSA for key exchange mechanism as connection info.
Let me know if you need any more information.
|
|
||
Comment 4•11 years ago
|
||
(In reply to Stefan Hühner from comment #3)
> Hi,
> i get the same error for a different public url.
>
> https://products.geotrust.com/orders/A.do?p=XX
Looking at https://www.ssllabs.com/ssltest/analyze.html?d=products.geotrust.com , I see:
> TLS version intolerance TLS 1.1 TLS 1.2 TLS 1.3 TLS 1.98 TLS 2.98 PROBLEMATIC
... So I'm pretty sure this is actually an intolerance issue in disguise.
This site shows up in the whitelist in Bug 1128227, so I guess this case will be handled there.
|
|
||
Comment 5•11 years ago
|
||
(In reply to Cykesiopka from comment #1)
> FWIW, I can connect to this site using Aurora 37 and IE11 if I enable SSL3
> for both, but not if I disable SSL3. So this might be a Tech Evangelism
> issue.
>
> Unfortunately, https://www.ssllabs.com/ssltest/analyze.html?d=esurv.uksv.net
> gives "Unexpected failure" for 91.207.110.119, and "No secure protocols
> supported" for 91.207.110.65...
(In reply to Saurabh Anand [:sawrubh] from comment #2)
> fwiw I'm not able to reproduce with https://www.esurv.uksv.net/ in the
> latest Nightly.
Hmm, https://www.ssllabs.com/ssltest/analyze.html?d=esurv.uksv.net no longer results in a failure, and I can connect using Aurora 37, without allowing SSL3.
I'm guessing the server was broken, and is now fixed.
Martyn, does this server work for you now?
Flags: needinfo?(mhaigh)
|
|
||
Comment 7•11 years ago
|
||
(In reply to Martyn Haigh (:mhaigh) from comment #6)
> This url now works for me using 35.0.1
Thanks. Resolving as WFM.
I'm going to assume that this issue was due to the server only supporting SSL3 (see Comment 1).
Blocks: POODLEBITE
Status: NEW → RESOLVED
Closed: 11 years ago
Component: Security → Desktop
Product: Firefox → Tech Evangelism
Resolution: --- → WORKSFORME
Summary: Possible incorrect "Error code: ssl_error_no_cypher_overlap" → Can't connect to www.esurv.uksv.net with SSL3 disabled
Version: 34 Branch → unspecified
|
Assignee | |
Updated•7 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•