Closed Bug 1120977 Opened 7 years ago Closed 6 years ago

windecare.wind.it uses GTE CyberTrust Global Root

Categories

(Web Compatibility :: Desktop, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: andrea.totaro72, Unassigned)

References

()

Details

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Build ID: 20141125180439

Steps to reproduce:

Open http://www.wind.it/it/business/ Click on the right top of screen 'Area Clienti'
Enter user Name and password


Actual results:

The error below is displayed:
An error occurred during a connection to windecare.wind.it. SSL peer rejected a handshake message for unacceptable content. (Error code: ssl_error_illegal_parameter_alert)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.



Expected results:

The account of page should open as it always had.

I have already tried to disable symantec antivirus, to start firefox in safe mode disabling all extensions.
The site works fine with IE11
https://www.ssllabs.com/ssltest/analyze.html?d=windecare.wind.it doesn't make for happy reading.

This server supports SSL 2, which is obsolete and insecure. Grade set to F.

This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.

Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.

This site is intolerant to newer protocol versions, which might cause connection failures.

The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.

This server accepts the RC4 cipher, which is weak. Grade capped to B.

There is no support for secure renegotiation.

The server does not support Forward Secrecy with the reference browsers.


--
I expect that the 'newer protocol versions' bit is what is biting the Firefox connection here. If you are a customer with WIND, I would suggest contacting them to inform them they need to look at the security of these servers.

Needinfo'ing keeler to doublecheck what, in particular, is going wrong for Firefox when trying the steps you gave.
Component: Untriaged → Security: PSM
Flags: needinfo?(dkeeler)
Product: Firefox → Core
Hi thanks for the quick reply.
I don't know if you realize it, but WIND is a big company (like Vodafone).
The chances of me getting through somebody from Wind's IT department are 0.
I guess I will have to use IE11.
(In reply to andrea.totaro72 from comment #2)
> Hi thanks for the quick reply.
> I don't know if you realize it, but WIND is a big company (like Vodafone).

Yes, I'm aware of this.

> The chances of me getting through somebody from Wind's IT department are 0.

Well, I would not be quite so pessimistic - and if we don't try, there will definitely not be any change.

Firefox 34 is released already, and so is Firefox 35 (effectively, anyway), so Firefox can't really fix this. WIND needs to update their server. :-(
It doesn't look like that server actually does support TLS 1.0:

keeler@keeler ~ $ openssl s_client -connect windecare.wind.it:443 -tls1 < /dev/null
CONNECTED(00000003)
139891907401600:error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter:s3_pkt.c:1257:SSL alert number 47
139891907401600:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1421171868
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

This is an evangelism issue.
Also note that the sites uses the deprecated 'GTE CyberTrust Global Root'.
Component: Security: PSM → Desktop
Flags: needinfo?(dkeeler)
Product: Core → Tech Evangelism
Version: 34 Branch → Trunk
Doesn't look like this server is in the static list in Bug 1128227, but I guess it doesn't matter with how crazy broken the server is.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Secure Connection Failed An error occurred during a connection SSL peer rejected a handshake message for unacceptable content. (Error code: ssl_error_illegal_parameter_alert) → windecare.wind.it is TLS 1.1/1.2 intolerant (among many other issues)
We could connect windecare.wind.it until Firefox 33 because we used to fallback down to SSLv3.
(ssl_error_illegal_parameter_alert is a fallback reason.) Chrome 40 couldn't connect the site, either.
Blocks: POODLEBITE
No longer blocks: TLS-Intolerance
And IE11 will also disable the fallback to SSLv3 tomorrow :)
I'm surprised WIND survived customer's complaints until today.
Yea, the server is extensions intolerant. BTW, I want this to block bug 1047011 because of the use of the GTE CyberTrust root.
OS: Windows 8.1 → All
Hardware: x86_64 → All
Looks like some progress has been made:
 - No more SSL2
 - Secure Renegotiation is now supported
 - TLS 1.0 connections seem to work fine (via SSL Labs, and local testing with the static fallback list disabled)

The end-entity cert still chains up to the GTE CyberTrust Global Root, but that's another issue.
No longer blocks: POODLEBITE
FYI, SSL Labs shows that IE11 has to fallback but Firefox don't, probably because NSS uses 0x0301 in the record layer but SChannel uses 0x0303 instead.
No longer TLS intolerant. Morphing this to a bug about the GTE CyberTrust Global Root.
Blocks: 1047011
No longer blocks: TLS-Intolerance
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Summary: windecare.wind.it is TLS 1.1/1.2 intolerant (among many other issues) → windecare.wind.it uses GTE CyberTrust Global Root
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Fixed.
Status: REOPENED → RESOLVED
Closed: 7 years ago6 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.