Closed Bug 1135666 Opened 6 years ago Closed 5 years ago

AliExpress/Alibaba login.aliexpress.com is (mostly) RC4 only

Categories

(Web Compatibility :: Desktop, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: shane.bundy, Unassigned)

References

()

Details

(Whiteboard: [contactready])

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150221095252

Steps to reproduce:

1. Went to AliExpress
2. Clicked to sign in


Actual results:

An error pages with code "ssl_error_no_cypher_overlap" is given despite the fact the cipher is supported in Firefox.


Expected results:

Open as expected.
Hardware: x86 → x86_64
https://www.ssllabs.com/ssltest/analyze.html?d=login.aliexpress.com :
> Cipher Suites (sorted by strength; the server has no preference)
> TLS_RSA_WITH_RC4_128_SHA (0x5)
Blocks: 1124039
Status: UNCONFIRMED → NEW
Component: Untriaged → Desktop
Ever confirmed: true
OS: Windows 8.1 → All
Product: Firefox → Tech Evangelism
Hardware: x86_64 → All
Summary: Logging into AliExpress/Alibaba gives ssl_error_no_cypher_overlap → AliExpress/Alibaba login.aliexpress.com is RC4 only
Version: Trunk → unspecified
Attached image RC4maybeButAESyes.png
I was waiting for that SSL Labs page to be linked.
No longer blocks: 1124039
(In reply to Shane Bundy from comment #2)
> Created attachment 8570960 [details]
> RC4maybeButAESyes.png
> 
> I was waiting for that SSL Labs page to be linked.

Hmm, yes. Something else is going on as well.
Most of the time, the handshake simulation section is just this:
> TLS 1.0 	TLS_RSA_WITH_RC4_128_SHA (0x5)

But clear the cache and keep trying, and one or more non-RC4 suites will be used for a select few randomised cases:
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
> TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)

However, sometimes the HTTP server signature is "Apache", sometimes it's "Unknown", and sometimes something that starts with T, even for the same IPs (load balancer?).
Summary: AliExpress/Alibaba login.aliexpress.com is RC4 only → AliExpress/Alibaba login.aliexpress.com is (mostly) RC4 only
Whiteboard: [contactready]
FWIW I can now connect successfully with TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 on Aurora 38.

The Handshake Simluation sections in https://www.ssllabs.com/ssltest/analyze.html?d=login.aliexpress.com are also now populated with a lot more non-RC4 suites (the HTTP server signature I got every time I tried over the past few days was "Tengine").

Not sure if this means Alibaba has fixed all of the servers that seem to serve the URL though.
Shane, do you still see the issue?
Flags: needinfo?(shane.bundy)
The issue seems to have been resolved. Alibaba have always had non-RC4 ciphers on offer but Firefox was mostly refusing to use them on first, and subsequent, loads.

It still would be nice if RC4 would just die already. :)
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(shane.bundy)
Resolution: --- → WORKSFORME
I'm still facing it in Firefox 44.0b4. Very rare cases when it would load, otherwise it is the same error. 
Somehow works in Developer edition :|
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.