Closed Bug 1154285 Opened 7 years ago Closed 7 years ago

www.card-data.com is TLS 1.2 intolerant and RC4 only

Categories

(Web Compatibility :: Desktop, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: adam.kaplan, Unassigned)

References

()

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36 OPR/20.0.1387.91

Steps to reproduce:

Use FF37 Desktop to browse www.card-data.com


Actual results:

Site unreachable due to TLS fallback intolerance


Expected results:

Site should be accessible.  Please add to whitelist until site is fixed - sometime in late 2015.
Hi Adam,

Thanks for the report.

If you don't mind, could you please enable more modern cipher suites on the server as well (or forward it to someone who can)? It looks like the server is RC4 only.

Thanks!
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: TLS Fallback Intolerance - add URL to white-list - block bug 1126620 → www.card-data.com is TLS 1.2 intolerant and RC4 only
Version: Firefox 37 → unspecified
(In reply to Cykesiopka from comment #1)
> Hi Adam,
> 
> Thanks for the report.
> 
> If you don't mind, could you please enable more modern cipher suites on the
> server as well (or forward it to someone who can)? It looks like the server
> is RC4 only.
> 
> Thanks!

Servers support modern ciphers, issue is load balancer doesn't.  It will be replaced with more modern hardware soon.

When will the whitelist be pushed to Firefox 37 users?

Thanks
(In reply to adam.kaplan from comment #2)
> Servers support modern ciphers, issue is load balancer doesn't.  It will be
> replaced with more modern hardware soon.

That's good to hear, thanks.

> When will the whitelist be pushed to Firefox 37 users?

It won't be, unfortunately. The whitelist update will occur in Bug 1145844, which will hit Firefox 38 (scheduled for release the week of 2015-05-12: https://wiki.mozilla.org/RapidRelease/Calendar ).

In the mean time, these prefs (in most to least preferred order) can be used so connections are possible again:
security.tls.insecure_fallback_hosts = www.card-data.com (a comma separated list of domains)
security.tls.version.fallback-limit = 2
security.tls.version.max = 2
Will this be part of any Firefox 38 beta?  Thanks
(In reply to adam.kaplan from comment #4)
> Will this be part of any Firefox 38 beta?  Thanks

Yes, probably in the last beta or a RC.
Load balancing hardware has been updated and whitelist of card-data.com is no longer needed.  Thanks
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.