1144726 - Citi credit cards https://cardupgrade.citi.com ssl_error_no_cypher_overlap

Status: RESOLVED FIXED

(Web Compatibility :: Site Reports, defect)

Description

[Nathan Froyd [:froydnj]]

Discovered this today while testing with Nightly.  SSL Labs refuses to check citi.com domains, so I'm at somewhat of a loss to determine what the actual problem is.  Apologies for the blocks.

Comment 1

[Dave Garrett]

Wow, that's some serious sleaze from Citibank. Sad that Qualys actually honors requests to disallow scans.

Using the 'sslscan' command line utility, I can confirm that this server appears to be RC4-only. (note: need at least openssl 1.0+ to properly test for all ciphers) Server does not support SSL3.

I don't know how to test for TLS version intolerance via command line, at the moment.

Comment 2

[Dave Garrett]

I'm going to assume that this is not a TLS version intolerance issue because we're erroring specifically on the cipher selection.

Comment 3

[Dave Garrett]

Ah, good. I found a competitor web service that will scan them:
https://www.wormly.com/test_ssl/h/cardupgrade.citi.com/i/198.160.105.70/p/443

It says it supports SSL3, though direct attempts to connect with openssl via command line fail with only SSL3, so this test service appears to be wrong here. Don't rely on it for checking version support. It shows cipher support fine, though.

Comment 4

[Masatoshi Kimura [:emk]]

Fixed.

Comment 5

[Mark Straver]

(In reply to Dave Garrett from comment #3)
> Ah, good. I found a competitor web service that will scan them:
> https://www.wormly.com/test_ssl/h/cardupgrade.citi.com/i/198.160.105.70/p/443
> 
> It says it supports SSL3, though direct attempts to connect with openssl via
> command line fail with only SSL3, so this test service appears to be wrong
> here. Don't rely on it for checking version support. It shows cipher support
> fine, though.

Maybe for future reference, http://testssl.sh has a rather detailed CLI script available that can do similar stuff to Qualys' service.