Closed Bug 1151818 Opened 5 years ago Closed 5 years ago

*.fdj.fr returns SSL 3.0 ServerHello for TLS >1.0 ClientHello

Categories

(Web Compatibility :: Desktop, defect)

defect
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: epinal99-bugzilla2, Unassigned)

References

()

Details

STR:
Load https://www.fdj.fr/accueil/

Some elements are not loaded (spinning wheel) since FF37.

https://www.ssllabs.com/ssltest/analyze.html?d=fdj.fr
Flags: needinfo?(cykesiopka.bmo)
security.tls.version.min=0 fixes the issue.
Yup, this server is intolerant to > TLS 1.0. It's also POODLE (TLS) vulnerable.

(In reply to Loic from comment #1)
> security.tls.version.min=0 fixes the issue.

security.tls.insecure_fallback_hosts=www.fdj.fr
security.tls.version.fallback-limit=1
security.tls.version.max=1
... should all work as well, from most preferred to least.
Flags: needinfo?(cykesiopka.bmo)
OS: Windows 7 → All
Hardware: x86_64 → All
Summary: https://www.fdj.fr/accueil/ doesn't load all elements since Firefox 37 (TLS intolerance?) → https://www.fdj.fr returns SSL 3.0 ServerHello for TLS >1.0 ClientHello and is POODLE (TLS) vulnerable
Version: Firefox 37 → unspecified
I sent an email.
www.fdj.fr is already in the whitelist, but media.fdj.fr is not.
(In reply to Masatoshi Kimura [:emk] from comment #4)
> www.fdj.fr is already in the whitelist, but media.fdj.fr is not.

Inded, that explains why some elements from media.fdj.fr are not loaded.
Summary: https://www.fdj.fr returns SSL 3.0 ServerHello for TLS >1.0 ClientHello and is POODLE (TLS) vulnerable → *.fdj.fr returns SSL 3.0 ServerHello for TLS >1.0 ClientHello and is POODLE (TLS) vulnerable
They have fixed the server, SSL3 has been disabled but it's still vulnerable to POODLE (TLS).
No longer blocks: TLS-Intolerance
Summary: *.fdj.fr returns SSL 3.0 ServerHello for TLS >1.0 ClientHello and is POODLE (TLS) vulnerable → *.fdj.fr is POODLE (TLS) vulnerable
If SSL3 is disabled and the site now loads properly in Firefox, then I'm closing this as FIXED.

Yes, they may have horrible security issues, but if we attempted to track every sever on the Internet with a security problem here, we'd go insane. The problem this bug was filed for is fixed, so this is done. If someone can get in touch with them and get them to upgrade whatever broken out-of-date junk is vulnerable, that's great, but we don't need to track it here.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Summary: *.fdj.fr is POODLE (TLS) vulnerable → *.fdj.fr returns SSL 3.0 ServerHello for TLS >1.0 ClientHello
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.