Closed Bug 1144726 Opened 5 years ago Closed 5 years ago

Citi credit cards https://cardupgrade.citi.com ssl_error_no_cypher_overlap

Categories

(Web Compatibility :: Desktop, defect)

defect
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: froydnj, Unassigned)

References

()

Details

Discovered this today while testing with Nightly.  SSL Labs refuses to check citi.com domains, so I'm at somewhat of a loss to determine what the actual problem is.  Apologies for the blocks.
Wow, that's some serious sleaze from Citibank. Sad that Qualys actually honors requests to disallow scans.

Using the 'sslscan' command line utility, I can confirm that this server appears to be RC4-only. (note: need at least openssl 1.0+ to properly test for all ciphers) Server does not support SSL3.

I don't know how to test for TLS version intolerance via command line, at the moment.
OS: Linux → All
Hardware: x86_64 → All
I'm going to assume that this is not a TLS version intolerance issue because we're erroring specifically on the cipher selection.
Ah, good. I found a competitor web service that will scan them:
https://www.wormly.com/test_ssl/h/cardupgrade.citi.com/i/198.160.105.70/p/443

It says it supports SSL3, though direct attempts to connect with openssl via command line fail with only SSL3, so this test service appears to be wrong here. Don't rely on it for checking version support. It shows cipher support fine, though.
Fixed.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
(In reply to Dave Garrett from comment #3)
> Ah, good. I found a competitor web service that will scan them:
> https://www.wormly.com/test_ssl/h/cardupgrade.citi.com/i/198.160.105.70/p/443
> 
> It says it supports SSL3, though direct attempts to connect with openssl via
> command line fail with only SSL3, so this test service appears to be wrong
> here. Don't rely on it for checking version support. It shows cipher support
> fine, though.

Maybe for future reference, http://testssl.sh has a rather detailed CLI script available that can do similar stuff to Qualys' service.
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.