Closed Bug 1150816 Opened 5 years ago Closed 5 years ago

extranet.ac-grenoble.fr is TLS 1.2 intolerant, RC4 only, and does send the full cert chain

Categories

(Web Compatibility :: Desktop, defect)

defect
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: laurent.cooper, Unassigned)

References

()

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:37.0) Gecko/20100101 Firefox/37.0
Build ID: 20150326190726

Steps to reproduce:

connect to https://extranet.ac-grenoble.fr/ with firefox 36.0.4 and firefox 37 on mac OS X

tried to connect with all extension disabled. No proxy is used. Cache was empty.


Actual results:

Firefox show this message : (I translate below)
---
Échec de la connexion sécurisée
La connexion avec extranet.ac-grenoble.fr a été interrompue pendant le chargement de la page.
La page que vous essayez de consulter ne peut pas être affichée car l'authenticité des données reçues ne peut être vérifiée.
----
Failure for secure connection
The connexion with extranet.ac-grenoble.fr was interrupted during page download.
The page you where trying to see can't be displayed because data autheticity can't be verified
-------


Expected results:

The page should have been displayed.

It works flawlessly (once you loaded the CA authority) in firefox 36.0.4 on windows 7

Mac OS build specific problem ?
Did you make a test with a clean profile on OSX?
https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles

like you, WFM with ff37 on win7.
Component: Untriaged → Security: PSM
Flags: needinfo?(laurent.cooper)
Product: Firefox → Core
(In reply to Loic from comment #1)
> Did you make a test with a clean profile on OSX?
> https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-
> firefox-profiles
> 
> like you, WFM with ff37 on win7.

Doesn't work here with 37.0.1 on Win7 on a fresh profile, or Aurora 39 on Win7 with a used profile. I get the Secure Connection Failed connection interrupted screen. That it works for you actually surprises me, since:

https://www.ssllabs.com/ssltest/analyze.html?d=extranet.ac-grenoble.fr :
> TLS version intolerance 	TLS 1.2  TLS 1.3  TLS 1.98
This is consistent with the error message above.



Laurent: Firefox 36 and below allow global TLS version fallbacks, but Firefox 37 and above only allow fallbacks for sites on a whitelist. https://extranet.ac-grenoble.fr is not on this whitelist. So this server needs updating.

In addition to the intolerance issue above, here are a few things the SSL Labs page also notes that need to be fixed:
> Cipher Suites (sorted by strength; the server has no preference)
> TLS_RSA_WITH_RC4_128_MD5 (0x4)

Firefox 39 similarly does not allow RC4 use unless a site is on the whitelist. Otherwise you'll run into a different error when Firefox 39 comes.

> Extra download  AC Infrastructures
> Extra download  AC Enseignement Scolaire
> Extra download  AC Education Nationale

These intermediate certs need to be sent by the server as well. Visiting the site might work on a used profile due to Firefox caching the intermediate certs from previous connections, but not on any profiles that don't have the intermediate certs cached. Not sending the intermediate certs is a misconfiguration.

Thanks!
Status: UNCONFIRMED → NEW
Component: Security: PSM → Desktop
Ever confirmed: true
OS: Mac OS X → All
Product: Core → Tech Evangelism
Hardware: x86 → All
Summary: ssl certificate working with FF on windows but not FF on Max OS X → extranet.ac-grenoble.fr is TLS 1.2 intolerant, RC4 only, and does send the full cert chain
Version: 36 Branch → unspecified
Ok.

I can understand the concerns about security.

But.

The behavior is a bit harsh. That the site is unsure is real. Firefox should warn the people about that, explain it as clearly as possible and let the people choice if they want to go to the site anyway. I think it's a concern about freedom of choice.

We shall not take people for childs and decide for them. The site is not sure ? Warn. Do not forbid.

In this case, this site is used for SSO for multiples official products in education. A lot of people will want to use one of those sites, see that they can't go with firefox, and try with another browser. Let's say for me google chrome and safari. A lot will try IE.

Chrome for example gives BIG warning. You must click two or three times on a "hey it's dangerous. Are you sure" thing, it shows you a broken lock in the adress bar, during the sso completion. But you can do it.

The risk is that a lot of non tech people just understant it this way : firefox does not work for this site. In short, firefox does not work.

High danger of switching in my humble opinion.

Hope it helps to clarify the situation
Flags: needinfo?(laurent.cooper)
Hi Laurent,

Unfortunately, I'm not sure if it's feasible to allow a click through screen for TLS intolerance issues.

Mozilla did run scans to try and pick up sites that would be affected to minimise compatibility issues, but extranet.ac-grenoble.fr was not picked up, unfortunately.

You can set the security.tls.insecure_fallback_hosts pref to "extranet.ac-grenoble.fr,ac-grenoble.fr" (without the quotes), and you should be able to access the site in the mean time.

In any case, the site will be added to the whitelist for the Firefox 38 release and above.
Laurent,

From your email address, you're associated with ac-grenoble.fr

This issue pertains to multiple technical faults with the service, none of them are an issue with Firefox.

Are you therefore able to pass this on to the technical team who are responsible for it?

The service needs to be fixed so that:

1) It is not TLS 1.2 intolerant.
2) It does not use a RC4-based cipher suite.
3) It sends the intermediary certificates.

The certificate will eventually also need to be reissued by IGC/A so that it uses a SHA-2 family hash rather than SHA-1.

See https://wiki.mozilla.org/Security/Server_Side_TLS
The service should be corrected so that it is something like the intermediary configuration.
As a side note, I think they are phasing out the IGC/A root, right?
https://webmail.ac-grenoble.fr is also affected.
Fixed now, even supports TLS 1.2 too.
(In reply to Yuhong Bao from comment #8)
> Fixed now, even supports TLS 1.2 too.

Indeed.

Laurent: Thanks!
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.