Closed
Bug 1135666
Opened 9 years ago
Closed 9 years ago
AliExpress/Alibaba login.aliexpress.com is (mostly) RC4 only
Categories
(Web Compatibility :: Site Reports, defect)
Web Compatibility
Site Reports
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: shane.bundy, Unassigned)
References
()
Details
(Whiteboard: [contactready])
Attachments
(1 file)
|
43.58 KB,
image/png
|
Details |
RC4maybeButAESyes.png
User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:38.0) Gecko/20100101 Firefox/38.0 Build ID: 20150221095252 Steps to reproduce: 1. Went to AliExpress 2. Clicked to sign in Actual results: An error pages with code "ssl_error_no_cypher_overlap" is given despite the fact the cipher is supported in Firefox. Expected results: Open as expected.
|
Reporter | |
Updated•9 years ago
|
Hardware: x86 → x86_64
|
||
Comment 1•9 years ago
|
||
https://www.ssllabs.com/ssltest/analyze.html?d=login.aliexpress.com : > Cipher Suites (sorted by strength; the server has no preference) > TLS_RSA_WITH_RC4_128_SHA (0x5)
Blocks: 1124039
Status: UNCONFIRMED → NEW
Component: Untriaged → Desktop
Ever confirmed: true
OS: Windows 8.1 → All
Product: Firefox → Tech Evangelism
Hardware: x86_64 → All
Summary: Logging into AliExpress/Alibaba gives ssl_error_no_cypher_overlap → AliExpress/Alibaba login.aliexpress.com is RC4 only
Version: Trunk → unspecified
|
|
Reporter | |
Comment 2•9 years ago
|
||
I was waiting for that SSL Labs page to be linked.
|
||
Updated•9 years ago
|
Blocks: RC4-Dependence
|
|
||
Comment 3•9 years ago
|
||
(In reply to Shane Bundy from comment #2) > Created attachment 8570960 [details] > RC4maybeButAESyes.png > > I was waiting for that SSL Labs page to be linked. Hmm, yes. Something else is going on as well. Most of the time, the handshake simulation section is just this: > TLS 1.0 TLS_RSA_WITH_RC4_128_SHA (0x5) But clear the cache and keep trying, and one or more non-RC4 suites will be used for a select few randomised cases: > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) > TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) However, sometimes the HTTP server signature is "Apache", sometimes it's "Unknown", and sometimes something that starts with T, even for the same IPs (load balancer?).
Summary: AliExpress/Alibaba login.aliexpress.com is RC4 only → AliExpress/Alibaba login.aliexpress.com is (mostly) RC4 only
|
||
Updated•9 years ago
|
Whiteboard: [contactready]
|
|
||
Comment 4•9 years ago
|
||
FWIW I can now connect successfully with TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 on Aurora 38. The Handshake Simluation sections in https://www.ssllabs.com/ssltest/analyze.html?d=login.aliexpress.com are also now populated with a lot more non-RC4 suites (the HTTP server signature I got every time I tried over the past few days was "Tengine"). Not sure if this means Alibaba has fixed all of the servers that seem to serve the URL though.
|
|
Reporter | |
Comment 6•9 years ago
|
||
The issue seems to have been resolved. Alibaba have always had non-RC4 ciphers on offer but Firefox was mostly refusing to use them on first, and subsequent, loads. It still would be nice if RC4 would just die already. :)
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(shane.bundy)
Resolution: --- → WORKSFORME
I'm still facing it in Firefox 44.0b4. Very rare cases when it would load, otherwise it is the same error. Somehow works in Developer edition :|
|
Assignee | |
Updated•5 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•