1139706 - fahrkarten.bahn.de is RC4 only and TLS 1.1/1.2 intolerant

Status: VERIFIED FIXED

(Web Compatibility :: Site Reports, defect)

Description

[:Cykesiopka]

https://www.ssllabs.com/ssltest/analyze.html?d=fahrkarten.bahn.de :
> Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end)
> TLS_RSA_WITH_RC4_128_SHA (0x5)
> TLS_RSA_WITH_RC4_128_MD5 (0x4)

> TLS version intolerance 	TLS 1.1  TLS 1.2  TLS 1.3  TLS 1.98  TLS 2.98

Comment 1

[Florian Weimer]

Same for reiseauskunft.bahn.de and likely other bahn.de sites as well.

Comment 2

[Alexander Buchner]

Yes, actually there are other sites. But I'm not sure if I want to see them on the whitelist.
I am in contact with people at bahn.de and my actual goal is to convince them that it's a good idea to get rid off RC4.
I'm afraid that there would be no pressure to change their config if their sites are on the whitelist and everything still works fine.

Comment 3

[Masatoshi Kimura [:emk]]

Firefox 36+ will display a triangle warning icon instead of the lock icon and/or the EV indicator on the location bar if the site depends on RC4. Looks like fahrkarten.bahn.de loses the EV indicator.
It might not be sufficient pressure, but it exists.

Comment 4

[Masatoshi Kimura [:emk]]

Fixed.

Comment 5

[Dave Garrett]

https://www.ssllabs.com/ssltest/analyze.html?d=fahrkarten.bahn.de

Wow, they're 'A' rated on the test now. That's a great improvement. :)

Comment 6

[Tobias Burnus]

REOPEN: The white list can be removed as they have updated their server - as https://www.ssllabs.com/ssltest/analyze.html?d=fahrkarten.bahn.de shows.

That's in line with what they wrote me recently by email: That they will update their server soon. Seemingly, that has happened.

Comment 7

[Masatoshi Kimura [:emk]]

The whitelist update is tracked by bug 1145844.