1151990 - https://www.openwebosproject.org/ only uses RC4 ciphersuites

Status: RESOLVED WORKSFORME

(Web Compatibility :: Desktop, defect, P5)

Description

[Jeff Muizelaar [:jrmuizel]]

This page works fine in Chrome.

Comment 1

[Jeff Muizelaar [:jrmuizel]]

I was also not able to find any to get more information about what was happening other than the error page containing ssl_error_no_cypher_overlap. Is there a way to get the offending certificate?

Comment 2

[Dana Keeler (she/her) (use needinfo) (:keeler for reviews)]

According to https://www.ssllabs.com/ssltest/analyze.html?d=openwebosproject.org that site only advertises a single RC4 ciphersuite. It also has SSL 3 enabled, which is insecure. It also neglects to send any intermediate certificates, which can mean clients won't find a path to a trusted root.

Comment 3

[Jeff Muizelaar [:jrmuizel]]

(In reply to David Keeler [:keeler] (use needinfo?) from comment #2)
> According to
> https://www.ssllabs.com/ssltest/analyze.html?d=openwebosproject.org that
> site only advertises a single RC4 ciphersuite. It also has SSL 3 enabled,
> which is insecure. It also neglects to send any intermediate certificates,
> which can mean clients won't find a path to a trusted root.

Do you know why Chrome still accepts the cert?

Comment 4

[:Cykesiopka]

(In reply to Jeff Muizelaar [:jrmuizel] from comment #3)
> Do you know why Chrome still accepts the cert?

I believe Chrome fetches intermediates based on cert AIA information, but I could be wrong.

Comment 5

[sjw]

The certificate expired a moth ago.

Comment 6

[Hallvord R. M. Steen [:hallvors]]

Still expired. Seems nobody is maintaining or using this anyway, so low pri. We might even close it..

Comment 7

[sjw]

Still no new cert. I'll close it for now.