If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.
Bug 1126620 (TLS-Intolerance)

[META] TLS 1.1/1.2 version intolerant sites

RESOLVED FIXED

Status

Tech Evangelism
Desktop
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: Dave Garrett, Unassigned)

Tracking

({site-compat})

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
Bug 1084025 disables insecure TLS version fallback and bug 1114816 adds a whitelist to compensate for broken sites which still need it due to TLS version intolerance. This meta-bug is to organize the various bugs filed for individual servers on the topic.

Starting with dependencies of the bugs noted in the current whitelist patch. Filing new TE bugs for every broken site on the Internet would probably not be productive, but bugs for high-visibility sites might be useful.
(Reporter)

Comment 1

3 years ago
A quick way to test if an individual site connectivity issue is the result of TLS version intolerance is to run it through: https://www.ssllabs.com/ssltest

Once complete, scroll down to the "Protocol Details" section of the test results. Both TLS version and extension intolerance are tested for. If the domain is intolerant to TLS 1.1 or 1.2, then this meta-bug is applicable.
(Reporter)

Updated

3 years ago
See Also: → bug 1085138
(Reporter)

Updated

3 years ago
Keywords: site-compat
Tweeted: https://twitter.com/FxSiteCompat/status/560257529813692416

Comment 3

3 years ago
Due to TLS 1.1/1.2?
Depends on: 1126652
Depends on: 1126654

Updated

3 years ago
Depends on: 1127204
Depends on: 1127611
Depends on: 1128318
Depends on: 1128366
Depends on: 1128581
Depends on: 1128602
Depends on: 1128615
Depends on: 1090765
(Reporter)

Updated

3 years ago
Alias: TLS-Intolerance
Status: NEW → UNCONFIRMED
Ever confirmed: false
No longer depends on: 1128581

Comment 4

3 years ago
What is the deadline for whitelisting for released version?

I found one airline website has this issue and contacted to the customer support.
This issue is under consideration in the company. So I would like to report the site only when they miss the deadline.
(Reporter)

Updated

3 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Reporter)

Comment 5

3 years ago
(In reply to Takanori MATSUURA from comment #4)
> What is the deadline for whitelisting for released version?

There is no official timetable yet. In fact, the current nightly only has a small list and the full list has yet to land. (see bug 1128227) After that lands it'll be uplifted to Aurora, and around February 24th it'll probably go to beta. Beta gets fewer updates, but major sites could still be added (assuming the maintainer permits it). The week of April 7th would be final release unless it gets held back. I would guess the last realistic time to amend the list prior to release would be in late March.

> I found one airline website has this issue and contacted to the customer
> support.
> This issue is under consideration in the company. So I would like to report
> the site only when they miss the deadline.

I would recommend filing a TE bug (same product as this bug) and set it to block this bug. It gives the company a place to be pointed to and reply. It has been known to help get things done more easily in the past, though all too often they just track the fact that the company never followed up on the report. Just put in your description the fact that you already attempted contact and are waiting on a resolution prior to requesting whitelisting. That's always preferred if possible.

Updated

3 years ago
Depends on: 1129773

Comment 6

3 years ago
Thanks Dave.
Filed as bug 1129773.

Updated

3 years ago
Depends on: 1129887

Comment 7

3 years ago
One more question.

When is the hard-coded whitelist (by bug 1129773) removed?
Announce of the date removing whitelist may be required especially for maintainer for the listed websites.
(Reporter)

Comment 8

3 years ago
The patch in bug 1128227 also has a script to auto-prune the list which will be run periodically by the maintainer. Domains which are updated to no longer need the list (or start to break with the list) will be removed and the list will shrink over time. I don't think anyone knows how long it will be until it is small enough to warrant removal. I would expect they would also want telemetry to know how commonly it is used.

I think the idea of requiring a warning page and user confirmation before doing an insecure fallback is still under consideration, and might be done at some point in the future when the list gets smaller. (or possibly in direct response to a new exploit)

My best guess is that the whitelist has a good chance of staying in use for at least the rest of this year, but that is only a wild guess. I would recommend acting like it could go away at any time. It's not a fix; it's a workaround for horribly broken servers that need to be upgraded.
Depends on: 1130472
Depends on: 1130693

Updated

3 years ago
Depends on: 1120977
No longer depends on: 1120977

Updated

3 years ago
Depends on: 1132399

Updated

3 years ago
Depends on: 1132540
Depends on: 1133312
No longer depends on: 1133312
Depends on: 1133648
No longer depends on: 1133648
No longer depends on: 1132540

Updated

3 years ago
Depends on: 1134709
Depends on: 1117157

Comment 9

3 years ago
Probably another one. 
https://webcompat.com/issues/706
(In reply to Karl Dubost :karlcow from comment #9)
> Probably another one. 
> https://webcompat.com/issues/706

Actually it is a fallout from bug 1124039. The site is TLS tolerant but RC4 or Camellia only. Could you file a evangelism bug and block bug 1124039 to track this?

Updated

3 years ago
Depends on: 1136091
No longer depends on: 1136091
Depends on: 1136376
No longer depends on: 1136376

Comment 11

3 years ago
(In reply to Masatoshi Kimura [:emk] from comment #10)
> (In reply to Karl Dubost :karlcow from comment #9)
> > Probably another one. 
> > https://webcompat.com/issues/706
> 
> Actually it is a fallout from bug 1124039. The site is TLS tolerant but RC4
> or Camellia only. Could you file a evangelism bug and block bug 1124039 to
> track this?

I filed Bug 1137444.
Depends on: 1137677

Updated

3 years ago
Depends on: 1137981

Updated

3 years ago
Depends on: 1135561

Updated

3 years ago
Depends on: 1137983
(Reporter)

Updated

3 years ago
See Also: → bug 1138101

Updated

3 years ago
Depends on: 1138211
(Reporter)

Updated

3 years ago
No longer depends on: 1138211
(Reporter)

Updated

3 years ago
Depends on: 1139065

Updated

3 years ago
Depends on: 1139706

Updated

3 years ago
Depends on: 1120977
Created attachment 8574196 [details]
fx37b2_tls_intolerant_sites.txt

I ran a compatibility test of Fx37b2 against Fx36.0.1 to look for any potential site breakage. I used the Pulse top SSL site list of around 200k domains. 

This attached list contains an additional 88 sites that are all most likely TLS intolerant and will break in Fx37b2. This is in addition to the site lists that I posted as attachments to bug 1084025. I have not checked all of them - just a handful - but they seem to fail for related reasons. Obviously some of these sites are not being maintained at all and may not respond to requests to upgrade their SSL stack, but I am providing this list anyway.
Depends on: 1141933

Updated

3 years ago
No longer depends on: 1141933

Updated

3 years ago
Depends on: 1141985
No longer depends on: 1120977

Updated

3 years ago
Depends on: 1143035

Updated

3 years ago
No longer depends on: 1141985
Depends on: 1144726
(Reporter)

Updated

3 years ago
No longer depends on: 1144726

Updated

3 years ago
Depends on: 1145521

Updated

3 years ago
Depends on: 1145524

Updated

3 years ago
Depends on: 1146017

Updated

3 years ago
Depends on: 1144058

Updated

3 years ago
No longer depends on: 1144058

Updated

3 years ago
Depends on: 1147649

Updated

3 years ago
No longer depends on: 1139065

Updated

3 years ago
Depends on: 1150816

Updated

3 years ago
Depends on: 1151580
Depends on: 1151575

Updated

3 years ago
Depends on: 1151818

Updated

3 years ago
Depends on: 1151781

Updated

3 years ago
No longer depends on: 1151818
(Reporter)

Updated

3 years ago
Depends on: 1151818

Updated

3 years ago
Depends on: 1152377

Updated

3 years ago
Depends on: 1152465

Updated

3 years ago
Depends on: 1152627

Updated

3 years ago
Depends on: 1152990

Updated

3 years ago
Depends on: 1153168

Updated

3 years ago
Depends on: 1153180

Updated

3 years ago
Depends on: 1153749

Updated

3 years ago
Depends on: 1154285

Updated

3 years ago
Depends on: 1154716
Depends on: 1154870

Updated

3 years ago
No longer depends on: 1152465
(Reporter)

Updated

3 years ago
Depends on: 1156441
Depends on: 1157536

Updated

3 years ago
Depends on: 1155712

Updated

3 years ago
Depends on: 1158465

Updated

3 years ago
Depends on: 1159224

Updated

3 years ago
Depends on: 1163716

Updated

3 years ago
Depends on: 1163720

Updated

3 years ago
Depends on: 1138231

Updated

3 years ago
Depends on: 1165579

Updated

3 years ago
Depends on: 1165580
No longer depends on: 1138231
No longer depends on: 1165579
No longer depends on: 1165580

Updated

2 years ago
Depends on: 1166644
Depends on: 1172793

Updated

2 years ago
Depends on: 1173592

Updated

2 years ago
Depends on: 1174974

Updated

2 years ago
Depends on: 1177212

Updated

2 years ago
Depends on: 1179041

Updated

2 years ago
Depends on: 1187215

Updated

2 years ago
No longer depends on: 1156441

Updated

2 years ago
Depends on: 1152827

Updated

2 years ago
Depends on: 1244660
All dependent bugs are closed.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.