Closed
Bug 1146017
Opened 9 years ago
Closed 9 years ago
ssl_error_bad_mac_read on https://www.boutique-programme-voyageur.sncf.com
Categories
(Web Compatibility :: Site Reports, defect)
Web Compatibility
Site Reports
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: gerard-majax, Unassigned)
References
Details
(Keywords: regression)
Attachments
(1 file)
I'm not able to access anymore this website. This is failing with "ssl_error_bad_mac_read" TLS error. As far as I know this is working on current stable release.
Reporter | ||
Comment 1•9 years ago
|
||
Is it the website that is at fault?
Comment 2•9 years ago
|
||
TLS 1.1/1.2 intolerance? openssl s_client -host www.boutique-programme-voyageur.sncf.com -port 443 -tls1 > CONNECTED(00000003) > depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority > verify error:num=19:self signed certificate in certificate chain > verify return:0 openssl s_client -host www.boutique-programme-voyageur.sncf.com -port 443 -no_tls1_2 -no_tls1_1 > CONNECTED(00000003) > depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority > verify error:num=19:self signed certificate in certificate chain > verify return:0 openssl s_client -host www.boutique-programme-voyageur.sncf.com -port 443 -no_tls1_2 > CONNECTED(00000003) > depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority > verify error:num=19:self signed certificate in certificate chain > verify return:0 > 139671897179808:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:486: In addition, if I set security.tls.version.fallback-limit to 1 in Aurora 38, I can connect. https://www.ssllabs.com/ssltest/analyze.html?d=boutique-programme-voyageur.sncf.com doesn't mention TLS 1.1/1.2 intolerance, but regardless, it does identify plenty of other areas where the site is broken.
Comment 3•9 years ago
|
||
(In reply to Cykesiopka from comment #2) > https://www.ssllabs.com/ssltest/analyze.html?d=boutique-programme-voyageur.sncf.com > doesn't mention TLS 1.1/1.2 intolerance, but regardless, it does identify > plenty of other areas where the site is broken. That's an understatement and a half. It's currently rated 'F'. Pasting here for the record: This server supports SSL 2, which is obsolete and insecure. Grade set to F. This server supports 512-bit export suites and might be vulnerable to the FREAK attack. Grade set to F. This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. This server is vulnerable to the POODLE attack against TLS servers. Patching required. Grade set to F. This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F. Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2. The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B. This server accepts the RC4 cipher, which is weak. Grade capped to B. There is no support for secure renegotiation. The server does not support Forward Secrecy with the reference browsers.
Comment 4•9 years ago
|
||
The site still rated F, but it has enabled AES and it no longer TLS 1.2 intolerant.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•5 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•