Closed
Bug 1144058
Opened 9 years ago
Closed 9 years ago
Various service-public.fr domains are RC4 only
Categories
(Web Compatibility :: Site Reports, defect)
Web Compatibility
Site Reports
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: Sylvestre, Unassigned)
References
()
Details
+++ This bug was initially created as a clone of Bug #1133648 +++ https://liaison.mon.service-public.fr/ Secure Connection Failed An error occurred during a connection to liaison.mon.service-public.fr. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) https://www.ssllabs.com/ssltest/analyze.html?d=liaison.mon.service-public.fr&latest
|
||
Comment 1•9 years ago
|
||
(In reply to Sylvestre Ledru [:sylvestre] from comment #0) > https://www.ssllabs.com/ssltest/analyze.html?d=liaison.mon.service-public. > fr&latest TLS_RSA_WITH_RC4_128_MD5 specifically. In addition: > TLS version intolerance TLS 1.1 TLS 1.2 TLS 1.3 TLS 1.98 TLS 2.98 ... locally confirmed in Aurora 38 using the appropriate prefs as well.
Blocks: TLS-Intolerance
Summary: https://liaison.mon.service-public.fr/ ssl_error_no_cypher_overlap error → https://liaison.mon.service-public.fr/ is TLS 1.1/1.2 intolerant and RC4 only
|
||
Comment 2•9 years ago
|
||
Site seems to be tolerant when using 0x0301 in record layer.
|
|
||
Comment 3•9 years ago
|
||
(In reply to Yuhong Bao from comment #2) > Site seems to be tolerant when using 0x0301 in record layer. Right. I retested again, and it works fine. Sigh. Thanks for checking, and sorry for the bug spam.
No longer blocks: TLS-Intolerance
Summary: https://liaison.mon.service-public.fr/ is TLS 1.1/1.2 intolerant and RC4 only → https://liaison.mon.service-public.fr/ is RC4 only
|
|
||
Comment 4•9 years ago
|
||
Hmm, I sent feedback to this site about their RC4 usage, but they replied (assuming Google Translate is correct) that there's a law that means they have to reply in French, and that they are unable to process foreign language messages...
|
Reporter | |
Comment 5•9 years ago
|
||
If you give me the content of your email, I translate it for you.
|
|
||
Comment 6•9 years ago
|
||
(In reply to Sylvestre Ledru [:sylvestre] from comment #5) > If you give me the content of your email, I translate it for you. Thanks! Here's what I sent (it's a bit compressed because their contact form only allows 800 characters): -------------------------- Hi, I've noticed that https://mon.service-public.fr is RC4 only: https://www.ssllabs.com/ssltest/analyze.html?d=mon.service-public.fr Firefox 39 (released on 2015-06-30) only allows RC4 for whitelisted sites. Non-whitelist sites will show an error page. It would be great if the server is configured to offer modern cipher suites. This is important as: CVE-2013-2566 now has a CVSS v2 Base Score of 4.3. RC4 use violates RFC 7465. Attacks such as http://www.isg.rhul.ac.uk/tls/RC4mustdie.html show that RC4 is unsuitable for secure communication. On FF 36+, the grey lock is replaced by the triangle warning icon when RC4 is used. There is no guarantee that a site will stay on the whitelist. For reference, see https://bugzilla.mozilla.org/show_bug.cgi?id=1144058 Many thanks!
Hi, I am also facing connexion issue on the website https://connexion.mon.service-public.fr. So I would like to help you. From my understanding, FF is now blocking TLS1.0 connextion and this website is also using only these kind of connexion. So here is the expected translation. Many thanks ! ------------------------------------------ Bonjour, J'ai noté que le site web https://mon.service-public.fr utilise une connection sécurisé RC4 (https://www.ssllabs.com/ssltest/analyze.html?d=mon.service-public.fr). Firefox 39 (planifié pour le 30 juin 2015) autorisera les connexions RC4 seulement pour une liste prédéfinies de site web. Les autres sites aboutiront à une page d'erreur Cette mesure importante est justifié par : - CVE-2013-2566 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2566) qui a maintenant un score CVSS v2 de 4.3 - Les connexions RC4 violent la spécification RFC 7465 - Des attaques informatiques telles que http://www.isg.rhul.ac.uk/tls/RC4mustdie.html ont montré que les connections RC4 ne sont pas adaptés à des communications sécurisés - Depuis firefox 36, l'icone indiquant la sécurité de la connection sur la barre de navigation est passé the cadenas vert par un triangle d'avertissement quand une connection RC4 est utilisée Par ailleurs, il n'y a aucune garantie qu'un site pourra rester sur la liste des sites prédéfinis encore autorisé en RC4 Bien cordialement ------------------------------------------
|
|
||
Comment 8•9 years ago
|
||
(In reply to Nicolas W from comment #7) > Hi, > > I am also facing connexion issue on the website > https://connexion.mon.service-public.fr. So I would like to help you. From > my understanding, FF is now blocking TLS1.0 connextion and this website is > also using only these kind of connexion. > > So here is the expected translation. > > Many thanks ! Thanks! I've resubmitted this to their feedback form. A minor correction though - FF is blocking this site due to it only supporting RC4. Not supporting anything higher than TLS 1.0 is problematic, but isn't being blocked yet.
|
|
||
Comment 9•9 years ago
|
||
All the problematic domains I've been able to find so far: https://compteasso.service-public.fr https://comptepro.service-public.fr https://connexion.mon.service-public.fr https://liaison.mon.service-public.fr https://mon.service-public.fr
Summary: https://liaison.mon.service-public.fr/ is RC4 only → Various service-public.fr domains are RC4 only
|
||
Comment 10•9 years ago
|
||
Hello, Did you get any answer from the admin the service-public.fr website ? This issue is quite annoying since many french citizens are likely to use this site in order to fill their tax declaration documents ! Thanks,
|
|
||
Comment 11•9 years ago
|
||
Hi Jean-Luc,
I got this reply from them early this morning:
> Bonjour,
>
> Nous sommes en cours d'investigation de ce dysfonctionnement qui survient sur le navigateur Firefox.
>
> Pouvez-vous essayer d'accéder avec un autre navigateur ?
>
> Merci pour votre retour.
>
> Cordialement,
>
> mon.service-public
> service assistance
I plan to reply as follows:
Hi,
In the short term, other browsers such as Chrome and IE will connect fine.
Longer term, Chrome plans to disable RC4 by the end of 2015.
However, RC4 is insecure regardless of which browser is used.
Hence it would be great if the service-public.fr servers were fixed sooner rather than later.
Thanks.
|
||
Comment 12•9 years ago
|
||
Hi, Thanks Cykesiopka for your involvement and this tech evangelism. Here is the translation ==== Bonjour, A court terme, d'autres navigateurs, comme Chrome ou Internet Explorer, permettent de se connecter correctement. A plus long terme, Chrome prévoit de ne plus supporter le RC4 d'ici fin 2015. Toutefois, les connexions RC4 ne sont plus sécurisées quelque soit le navigateur utilisé C'est pourquoi, il serait bon que les serveurs service-public.fr soient corrigés au plus tôt. Merci ===== Thanks again. I am not sure you will pass level 1 support. But you have done already more than expected. It is now up to them to fix it. I hope they will do it Best regards
|
|
||
Comment 13•9 years ago
|
||
Hello, I have tried yesterday evening (9 PM Paris time) to connect to mon.service-public.fr using Firefox 37.0.2 on windows 7 and it worked fine. Thanks,
|
|
||
Comment 14•9 years ago
|
||
Firefox 37 has not disabled RC4 yet.
|
|
Reporter | |
Comment 15•9 years ago
|
||
(In reply to Yuhong Bao from comment #14) > Firefox 37 has not disabled RC4 yet. So, 38 is fine too but 39 fails as expected.
|
|
||
Comment 16•9 years ago
|
||
(In reply to Nicolas W from comment #12) > Hi, > Thanks Cykesiopka for your involvement and this tech evangelism. Here is the > translation > ==== > Bonjour, > > A court terme, d'autres navigateurs, comme Chrome ou Internet Explorer, > permettent de se connecter correctement. A plus long terme, Chrome prévoit > de ne plus supporter le RC4 d'ici fin 2015. > > Toutefois, les connexions RC4 ne sont plus sécurisées quelque soit le > navigateur utilisé > C'est pourquoi, il serait bon que les serveurs service-public.fr soient > corrigés au plus tôt. > > Merci > ===== > > Thanks again. I am not sure you will pass level 1 support. But you have done > already more than expected. It is now up to them to fix it. I hope they will > do it > > Best regards Thanks for the translation. Here's their response: > Bonjour, > > Le site mon.service-public.fr utilise actuellement des certificats de sécurité émis par l'Autorité > de Certification de la Direction de l'Information Légale et Administrative (DILA). > > Cependant certains navigateurs internet n'ont pas encore intégré nativement cette Autorité de > Certification. > > Nous nous efforçons de rétablir rapidement le fonctionnement normal de l'accès à votre compte > mon.service-public.fr. > > Merci de bien vouloir accepter nos excuses pour l'éventuelle gêne occasionnée. > > Cordialement, > > mon.service-public > service assistance ... so unfortunately it looks like service-public.fr support doesn't quite understand what the problem is. Regardless, post Bug 1145844 the various domains I listed in comment 9 will be in the whitelist for FF 38 and above. So even if service-public.fr does nothing, at least people will still be able to connect by default. Hopefully someone there will eventually figure out what the problem is.
|
|
Reporter | |
Comment 18•9 years ago
|
||
WFM with the current aurora release: 39.0a2 (2015-04-29)
Status: RESOLVED → VERIFIED
|
Assignee | |
Updated•5 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•