Closed
Bug 1141604
Opened 9 years ago
Closed 8 years ago
aavacations.com fail to load in Firefox Nightly, with "Secure Connection Failed ... Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) "
Categories
(Web Compatibility :: Site Reports, defect)
Web Compatibility
Site Reports
Tracking
(firefox36 unaffected, firefox37 unaffected, firefox38 affected, firefox39 affected)
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox36 | --- | unaffected |
firefox37 | --- | unaffected |
firefox38 | --- | affected |
firefox39 | --- | affected |
People
(Reporter: dholbert, Unassigned)
References
()
Details
(Keywords: regression)
STR: 1. Visit https://www.aavacations.com/ (This is the site for "American Airlines Vacations") ACTUAL RESULTS: Error page with: > Secure Connection Failed > An error occurred during a connection to www.aavacations.com. > Cannot communicate securely with peer: no common encryption > algorithm(s). (Error code: ssl_error_no_cypher_overlap) > > The page you are trying to view cannot be shown because > the authenticity of the received data could not be verified. > > Please contact the website owners to inform them of this problem. EXPECTED RESULTS: Page loads successfully. Firefox 36 (release) and 37 (beta) give EXPECTED RESULTS. Firefox Developer Edition 38.0a2 (2015-03-10) and Nightly 39.0a1 (2015-03-09) give ACTUAL RESULTS. It's conceivable that this error is intentional (if the site's security settings are really bad and we're becoming stricter) -- if that's the case, we should morph this into a Tech Evang bug and urge American Airlines to fix their site before Firefox 38 hits our beta/release users and they become unable to access it.
Reporter | ||
Comment 1•9 years ago
|
||
[Tracking Requested - why for this release]: regression (from a user's perspective); unable to access a site, w/ apparently no way to locally work around it.
status-firefox36:
--- → unaffected
status-firefox37:
--- → unaffected
status-firefox38:
--- → affected
status-firefox39:
--- → affected
tracking-firefox38:
--- → ?
Reporter | ||
Comment 2•9 years ago
|
||
Regression range: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=5a35ca7c0adc&tochange=c731517a47e8 That's bug 1124039. Skimming the last comments there, it sounds like we've got a whitelist for known-affected sites -- :emk, should we add this to the whitelist?
Blocks: 1124039
Flags: needinfo?(VYV03354)
Reporter | ||
Comment 3•9 years ago
|
||
(I guess this should block metabug 1138101 instead of code-bug 1124039) (Feel free to reclassify as Tech Evang if appropriate; I'm not sure how we're managing tech evang vs. whitelisting for this category of issues.)
Comment 4•9 years ago
|
||
I'm adding known broken site to the whitelist until the site is fixed.
Flags: needinfo?(VYV03354)
Comment 5•9 years ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #3) > (Feel free to reclassify as Tech Evang if appropriate; I'm not sure how > we're managing tech evang vs. whitelisting for this category of issues.) An RC4 only server is somewhat broken, so TE seems appropriate.
Component: Security → Desktop
OS: Linux → All
Product: Core → Tech Evangelism
Hardware: x86_64 → All
Reporter | ||
Comment 6•9 years ago
|
||
https://www.ssllabs.com/ssltest/analyze.html?d=aavacations.com confirms that this site only supports TLS_RSA_WITH_RC4_128_SHA. Quoting the output there: > Cipher Suites (sorted by strength; the server has no preference) > TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK 128 ...and unsurprisingly, all of the simulated handshakes (listed below that) end up using TLS_RSA_WITH_RC4_128_SHA.
Reporter | ||
Comment 7•9 years ago
|
||
This affects the main American Airlines site, https://www.aa.com , as well -- I just didn't notice that at first because aa.com also allows insecure HTTP connections. (whereas aavacations.com forces you to upgrade to [broken] HTTPS)
Summary: aavacations.com fails with "Secure Connection Failed ... Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) " → aa.com & aavacations.com fail with "Secure Connection Failed ... Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) "
Reporter | ||
Comment 8•9 years ago
|
||
I reached out to them on Twitter: https://twitter.com/CodingExon/status/575429893523025920 Do we have any documentation on steps that sites need to take here? (From the ssllabs blog-post about this, https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what , I think "Support TLS 1.2 and GCM suites as soon as possible" is the takeaway for sites?) Also, here's a SSL Labs page for aa.com, for completeness -- it shows TLS_RSA_WITH_RC4_128_SHA being the only supported cipher-suite: https://www.ssllabs.com/ssltest/analyze.html?d=aa.com&s=23.203.222.57
Reporter | ||
Updated•9 years ago
|
Flags: needinfo?(VYV03354)
Reporter | ||
Updated•9 years ago
|
Summary: aa.com & aavacations.com fail with "Secure Connection Failed ... Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) " → aa.com & aavacations.com fail to load in Firefox Nightly, with "Secure Connection Failed ... Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) "
Comment 9•9 years ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #8) > I reached out to them on Twitter: > https://twitter.com/CodingExon/status/575429893523025920 > > Do we have any documentation on steps that sites need to take here? (From > the ssllabs blog-post about this, > https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is- > broken-now-what , I think "Support TLS 1.2 and GCM suites as soon as > possible" is the takeaway for sites?) Site compatibility docs have some description [1][2]. Bug 1140919 comment #5 & #7 have more concrete information. Ideally they should support AES-GCM, but if it will take the time, almost everything (even 3DES) is much better than RC4. [1] https://developer.mozilla.org/en-US/Firefox/Releases/36/Site_Compatibility#Security [2] https://developer.mozilla.org/en-US/Firefox/Releases/38/Site_Compatibility#Security
Flags: needinfo?(VYV03354)
Comment 10•9 years ago
|
||
It looks like Daniel has already done some outreach and the whitelisting will mean that by the time this goes to release it won't be something users encounter. emk, now that it's been whitelisted, when 38 goes to beta, will users be able to access this site? If so then this sounds like an evangelism issue and release management can't help.
tracking-firefox38:
? → ---
Flags: needinfo?(VYV03354)
Comment 11•9 years ago
|
||
I re-enabled unrestricted RC4 fallback on 38, so no beta users will encounter the problem.
Flags: needinfo?(VYV03354)
Reporter | ||
Comment 12•9 years ago
|
||
(Is the whitelist-addition tracked somewhere? I'm still seeing this cert error in nightly at https://aavacations.com/ and https://aa.com/ , though maybe that's expected if the whitelist change isn't live yet.)
Flags: needinfo?(VYV03354)
Comment 13•9 years ago
|
||
It is *not* added to the whitelist yet. Filed bug 1142769 to track this.
Flags: needinfo?(VYV03354)
Reporter | ||
Comment 14•9 years ago
|
||
Hmm, I'm still getting this error when visiting https://aa.com/ in current Nightly. emk, I thought comment 13 (bug 1142769) should have fixed this -- is the whitelist not working as expected? (Or maybe it's disabled in Nightly?) (I do see aa.com listed at http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/IntolerantFallbackList.inc#14 , so it didn't get removed somehow.)
Flags: needinfo?(VYV03354)
Comment 15•9 years ago
|
||
Bug 1201023 has disabled the whitelist in Nightly/Aurora. See <https://groups.google.com/d/msg/mozilla.dev.platform/JIEFcrGhqSM/CIjtpwxoLQAJ> about for details.
Flags: needinfo?(VYV03354)
Comment hidden (typo) |
Comment 17•9 years ago
|
||
I just pinged a contact at Akamai regarding this.
Comment 18•9 years ago
|
||
I tweeted at AA too, and had slightly better luck than Daniel. https://twitter.com/AmericanAir/status/658881734583255040
Comment 19•9 years ago
|
||
i see this in fx 42.0 release at aa.com, so it must be affecting lots of folks, now. martin: did you hear back from your Akamai contact?
Flags: needinfo?(martin.thomson)
Comment 20•9 years ago
|
||
Firefox 42 does not disable RC4 yet. I confirmed Firefox 42 loads aa.com. Did you test with a clean profile?
Comment 21•9 years ago
|
||
It's certainly still busted in Nightly. Rich told me that it would be fixed. I'll give him another nudge.
Flags: needinfo?(martin.thomson)
Comment 22•9 years ago
|
||
apparently my bustage in 42 is due to HTTPS Everywhere. sorry for the false alarm.
Comment 23•9 years ago
|
||
fwiw, @getify got the same response I did: https://twitter.com/AmericanAir/status/662640121276043265
Comment 24•9 years ago
|
||
Update: > Now it's not gonna happen until after the holidays. > > Customer did not reply in time.
Comment 25•9 years ago
|
||
Most servers are fixed, but aavacations.com and www.aavacations.com are still broken.
Summary: aa.com & aavacations.com fail to load in Firefox Nightly, with "Secure Connection Failed ... Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) " → aavacations.com fail to load in Firefox Nightly, with "Secure Connection Failed ... Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) "
Comment 26•9 years ago
|
||
And smlogin.aa.com.
Comment 27•9 years ago
|
||
smlogin.aa.com has been fixed.
Assignee | ||
Updated•5 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•