Closed Bug 1152627 Opened 10 years ago Closed 10 years ago

jst.doded.mil is TLS 1.2 intolerant

Categories

(Web Compatibility :: Site Reports, defect)

Product:
Web Compatibility
Component:
Site Reports
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: nick.smith, Unassigned)

References

(
URL
)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Build ID: 20150402191859 Steps to reproduce: Attempting to visit a website I work on at https://jst.doded.mil Used to work but upgrade to Firefox 37 (or maybe 36) I now get this error and no option to proceed to the site. I can still connect with IE, Safari and Chrome. Would like to figure out a workaround for our Firefox users, or find out what the problem is? I was thinking maybe due to SHA1 SSL cert but I wasn't sure. Secure Connection Failed The connection to jst.doded.mil was interrupted while the page was loading. Actual results: The following error is shown: Secure Connection Failed The connection to jst.doded.mil was interrupted while the page was loading. Expected results: Used to get an "Untrusted Connection" warning with ability to "Add exception..." and continue to the site.
TLS intolerance: https://www.ssllabs.com/ssltest/analyze.html?d=jst.doded.mil#whyNotTrusted
Component: Untriaged → Desktop
Product: Core → Tech Evangelism
Version: 37 Branch → Firefox 37
Hi Nick, Thanks for the report. The issue here is that the server is TLS 1.2 intolerant, and needs to be fixed. In previous Firefox versions connections to servers that are TLS 1.1/1.2 intolerant are retried with lower TLS versions in an attempt to increase compatibility. However, this practice enables MITM attacks to cause fallbacks to older, less secure versions. Hence, in Firefox 37 TLS version fallbacks have been disabled by default except for sites on a static whitelist, with the intent of eventually eliminating fallbacks entirely. You can see Bug 1084025 and Bug 1114816 for more details. jst.doded.mil can be added to a static whitelist so that connections will work by default again, but the earliest that change will hit a release version is Firefox 38 (scheduled for release on the week of 2015-05-12). In the mean time, these prefs (in most to least preferred) can be set so connections are possible again: security.tls.insecure_fallback_hosts = jst.doded.mil (a comma separated list of domains) security.tls.version.fallback-limit = 2 security.tls.version.max = 2 Thanks!
Blocks: TLS-Intolerance
URL: https://jst.doded.mil
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Mac OS X → All
Hardware: x86 → All
Summary: Secure Connection Failed The connection to jst.doded.mil was interrupted while the page was loading. → jst.doded.mil is TLS 1.2 intolerant
Version: Firefox 37 → unspecified
We'd like to get added to the whitelist for the next version. What do we need to do?
(In reply to nick.smith from comment #3) > We'd like to get added to the whitelist for the next version. What do we > need to do? Hi Nick, Nothing on your end. Note that this is a Tech Evangelism bug, which tracks when your server is fixed. The site will be added to the whitelist in Bug 1145844 instead.
I wonder if this is the Cisco CSS11503 load balancer or something else.
This appears to be fixed.
Yes. The server displays a cert error, but at least the TLS intolerance was fixed.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.