If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

www.cwu.edu is TLS 1.2 intolerant and RC4 only

RESOLVED FIXED

Status

Tech Evangelism
Desktop
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: David Hart, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36

Steps to reproduce:

Attempted to connect to https://my.cwu.edu.


Actual results:

Secure Connection Failed error message


Expected results:

In order to permit connection to this site and its content providers, please add the following hosts to the TLS intolerance fallback whitelist:

my.cwu.edu
my-csprd.ea.cwu.edu
my-hrprd.ea.cwu.edu
my-fsprd.ea.cwu.edu
my-fsrenprd.ea.cwu.edu
my-fsrpt.ea.cwu.edu

TLS for these sites is terminated on a legacy Cisco CSS11503 load balancer which does not support enhanced security. This system is scheduled for replacement but that will not occur before Firefox 37 is released.

Comment 1

3 years ago
https://www.ssllabs.com/ssltest/analyze.html?d=my.cwu.edu etc:
> Cipher Suites (sorted by strength; the server has no preference)
> TLS_RSA_WITH_RC4_128_MD5 (0x4)

> TLS version intolerance 	TLS 1.2  TLS 1.3  TLS 1.98
Blocks: 1126620, 1138101
Status: UNCONFIRMED → NEW
Component: Untriaged → Desktop
Ever confirmed: true
OS: Mac OS X → All
Product: Firefox → Tech Evangelism
Hardware: x86 → All
Summary: Add additional cwu.edu sites to TLS intolerance fallback whitelist. → Some cwu.edu sites are TLS 1.2 intolerant and RC4 only
Version: 37 Branch → unspecified

Comment 2

3 years ago
David: thanks for the report. You might be interested in CCing yourself on Bug 1142769, which is where the work for the next whitelist update will occur.

Comment 3

3 years ago
Thanks for naming the affected load balancer.
(Reporter)

Comment 4

3 years ago
If it's not too late, we may need these added as well:

my-csrenprd.ea.cwu.edu
my-hrrenprd.ea.cwu.edu
It was a bit too late, sorry.

Comment 6

3 years ago
From http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/data_center_app_services/css11500series/v8-20/release/note/RN820_X.html :
"CSCts77281—With a CSS configured with SSL termination, when the CSS receives an SSL CLIENT HELLO with TLS 1.1, it may did not properly fall back to TLS 1.0. The CSS would reset the connection, which was an incorrect action. "
(Reporter)

Comment 7

2 years ago
Here's another one that we would like added to the whitelist in the next release:

m.safari.cwu.edu

Hopefully this will be the last one, as we should be bringing our new balancers online by the end of the summer.

Thanks.

Comment 8

2 years ago
These servers were fixed at some point. They now use TLS 1.2 (obviously fixing the version intolerance) and dropped RC4 in favor of AES CBC & GCM, as well as 3DES to support old junk. The server config is still insecure; they have SSL3 enabled still. The test also whines that these support a DH_anon cipher suite, but I don't think that's quite as bad as it complains, though it doesn't need to be doing that.

Closing. Open a new issue if there's something else/new here.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED

Comment 9

2 years ago
The cached SSL Labs results for cwu.edu from Aug 21 still showed the problems.

Comment 10

2 years ago
Also I noticed that for my.wsu.edu at least only AES-256 and 3DES was enabled and the browsers don't support AES-256-GCM. They should be replaced with AES-128 suites.
(In reply to Yuhong Bao from comment #9)
> The cached SSL Labs results for cwu.edu from Aug 21 still showed the
> problems.

Sure.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Summary: Some cwu.edu sites are TLS 1.2 intolerant and RC4 only → www.cwu.edu is TLS 1.2 intolerant and RC4 only
(Reporter)

Comment 12

2 years ago
Thanks for the alert. After adjusting the cipher suites, these all get an A from the SSL Labs test.

Comment 13

2 years ago
Change the AES-256 cipher suites to AES-128 please.

Comment 14

2 years ago
(In reply to Yuhong Bao from comment #13)
> Change the AES-256 cipher suites to AES-128 please.

There's no need to remove AES GCM 256 suites, just add 128. Specifically, Firefox likes to use something like: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Comment 15

2 years ago
That works if you order it correctly, but AES-256 isn't that much more secure than AES-128 anyway.
(In reply to Yuhong Bao from comment #10)
> the browsers don't support AES-256-GCM.

At least IE11 and Edge support AES-256-GCM on Windows 10. At any rate, the server was fixed for the purpose of this bug.
Status: REOPENED → RESOLVED
Last Resolved: 2 years ago2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.