1152827 - www.myagent.gov.ab.ca is TLS 1.1/1.2 intolerant

Status: RESOLVED FIXED

(Web Compatibility :: Site Reports, defect)

Description

[Kamil Jozwiak [:kjozwiak]]

Looks like myagent.gov.ab.ca is using RC4-only and should probably update to a better cipher as all the browsers are phasing support for it.

* https://www.ssllabs.com/ssltest/analyze.html?d=myagent.gov.ab.ca

As per Bug # 1143375 Comment # 6, you can add the website into "security.tls.insecure_fallback_hosts" in about:config to workaround the error.

STR:

* download the latest nightly
** http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/
* once downloaded & installed, visit https://www.myagent.gov.ab.ca
* You'll receive "Error code: ssl_error_no_cypher_overlap"

Comment 1

[Dave Garrett]

This was fixed at some point. The server still has absolutely horrible security, but it works now, at least. AES CBC & 3DES are now available in addition to RC4 & EXPORT ciphers, not to mention SSL3 & even SSL2. (for the full list of the horrors here, see the test)

Comment 2

[:Cykesiopka]

(In reply to Dave Garrett from comment #1)
> This was fixed at some point. The server still has absolutely horrible
> security, but it works now, at least. AES CBC & 3DES are now available in
> addition to RC4 & EXPORT ciphers, not to mention SSL3 & even SSL2. (for the
> full list of the horrors here, see the test)

Unfortunately, it looks like TLS 1.1/1.2 intolerance was introduced as well.
I'm going to re-open, since the bug number here is already referenced at https://hg.mozilla.org/integration/mozilla-inbound/annotate/624abe520677/security/manager/ssl/IntolerantFallbackList.inc#l411.

Comment 3

[Masatoshi Kimura [:emk]]

Fixed.