1120977 - windecare.wind.it uses GTE CyberTrust Global Root

Status: RESOLVED FIXED

(Web Compatibility :: Desktop, defect)

Description

[andrea.totaro72]

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Build ID: 20141125180439

Steps to reproduce:

Open http://www.wind.it/it/business/ Click on the right top of screen 'Area Clienti'
Enter user Name and password


Actual results:

The error below is displayed:
An error occurred during a connection to windecare.wind.it. SSL peer rejected a handshake message for unacceptable content. (Error code: ssl_error_illegal_parameter_alert)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.



Expected results:

The account of page should open as it always had.

I have already tried to disable symantec antivirus, to start firefox in safe mode disabling all extensions.
The site works fine with IE11

Comment 1

[:Gijs (he/him)]

https://www.ssllabs.com/ssltest/analyze.html?d=windecare.wind.it doesn't make for happy reading.

This server supports SSL 2, which is obsolete and insecure. Grade set to F.

This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.

Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.

This site is intolerant to newer protocol versions, which might cause connection failures.

The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.

This server accepts the RC4 cipher, which is weak. Grade capped to B.

There is no support for secure renegotiation.

The server does not support Forward Secrecy with the reference browsers.


--
I expect that the 'newer protocol versions' bit is what is biting the Firefox connection here. If you are a customer with WIND, I would suggest contacting them to inform them they need to look at the security of these servers.

Needinfo'ing keeler to doublecheck what, in particular, is going wrong for Firefox when trying the steps you gave.

Comment 2

[andrea.totaro72]

Hi thanks for the quick reply.
I don't know if you realize it, but WIND is a big company (like Vodafone).
The chances of me getting through somebody from Wind's IT department are 0.
I guess I will have to use IE11.

Comment 3

[:Gijs (he/him)]

(In reply to andrea.totaro72 from comment #2)
> Hi thanks for the quick reply.
> I don't know if you realize it, but WIND is a big company (like Vodafone).

Yes, I'm aware of this.

> The chances of me getting through somebody from Wind's IT department are 0.

Well, I would not be quite so pessimistic - and if we don't try, there will definitely not be any change.

Firefox 34 is released already, and so is Firefox 35 (effectively, anyway), so Firefox can't really fix this. WIND needs to update their server. :-(

Comment 4

[Dana Keeler (she/her) (use needinfo) (:keeler for reviews)]

It doesn't look like that server actually does support TLS 1.0:

keeler@keeler ~ $ openssl s_client -connect windecare.wind.it:443 -tls1 < /dev/null
CONNECTED(00000003)
139891907401600:error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter:s3_pkt.c:1257:SSL alert number 47
139891907401600:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1421171868
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

This is an evangelism issue.
Also note that the sites uses the deprecated 'GTE CyberTrust Global Root'.

Comment 5

[:Cykesiopka]

Doesn't look like this server is in the static list in Bug 1128227, but I guess it doesn't matter with how crazy broken the server is.

Comment 6

[Masatoshi Kimura [:emk]]

We could connect windecare.wind.it until Firefox 33 because we used to fallback down to SSLv3.
(ssl_error_illegal_parameter_alert is a fallback reason.) Chrome 40 couldn't connect the site, either.

Comment 7

[Masatoshi Kimura [:emk]]

And IE11 will also disable the fallback to SSLv3 tomorrow :)
I'm surprised WIND survived customer's complaints until today.

Comment 8

[Yuhong Bao]

Yea, the server is extensions intolerant. BTW, I want this to block bug 1047011 because of the use of the GTE CyberTrust root.

Comment 9

[:Cykesiopka]

Looks like some progress has been made:
 - No more SSL2
 - Secure Renegotiation is now supported
 - TLS 1.0 connections seem to work fine (via SSL Labs, and local testing with the static fallback list disabled)

The end-entity cert still chains up to the GTE CyberTrust Global Root, but that's another issue.

Comment 10

[Yuhong Bao]

FYI, SSL Labs shows that IE11 has to fallback but Firefox don't, probably because NSS uses 0x0301 in the record layer but SChannel uses 0x0303 instead.

Comment 11

[Masatoshi Kimura [:emk]]

No longer TLS intolerant. Morphing this to a bug about the GTE CyberTrust Global Root.

Comment 12

[Yuhong Bao]

Fixed.