Closed Bug 1154485 Opened 10 years ago Closed 8 years ago

ssl_error_handshake_failure_alert on https://pkg.oracle.com - can't negotiate TLS 1.2 connection (RC4 used)

Categories

(Web Compatibility :: Site Reports, defect, P5)

Product:
Web Compatibility
Component:
Site Reports
Platform:
x86
Windows 7
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: james_roberts-thomson, Unassigned)

References

(
URL
)

Details

(Keywords: site-compat, Whiteboard: [sitewait])

Attachments

(2 files)

output.txt
4.26 KB, text/plain
Details
Screenshot of Client Certificate being displayed in FireFox
65.69 KB, image/png
Details
Attached file output.txt
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:37.0) Gecko/20100101 Firefox/37.0 Build ID: 20150402191859 Steps to reproduce: Firefox 37.0.1 (and recent previous releases) cannot connect to https://pkg.oracle.com (a subscription website from Oracle that requires an Oracle generated SSL certificate for authentication). Actual results: Connection fails with "error code: ssl_error_handshare_failure_alert". Setting security.tls.version.max to "2" (rather than default of 3) will enable connection to succeed; but at the cost of preventing FireFox from using TLS1.2 everywhere. Additionally, setting security.tls.version.max back to "3" and setting security.tls.version.fallback-limit to "1" causes the SSL to fail with "ssl_error_no_cypher_overlap" Expected results: I understand this is probably an Oracle problem to fix, i.e. their website needs work; but FireFox used to connect OK, and no longer does. It would be nice it could work without needing to disable TLS1.2 support. I have attached the output from an OpenSSL s_client connection showing TLS1.2 does work (but uses RC4 ciphers, which presumably is why FireFox currently doesn't due to RC4 ciphers being depreciated in Firefox).
(In reply to James Roberts-Thomson from comment #0) > https://pkg.oracle.com (a subscription website from Oracle that requires an > Oracle generated SSL certificate for authentication). Bug 465330 suggests ssl_error_handshake_failure_alert is the error message you get when you're missing the required client certificate. > TLS1.2 does work (but uses RC4 ciphers, which presumably is why FireFox > currently doesn't due to RC4 ciphers being depreciated in Firefox). No, that's not the cause of what you're seeing. Currently RC4 just triggers a warning triangle icon in the location bar, instead of a padlock. Starting in Firefox 39, sites fails to load with an ssl_error_no_cypher_overlap error.
URL: https://pkg.oracle.com
Component: Untriaged → Security: PSM
Keywords: site-compat
Product: Firefox → Core
Summary: FireFox 37 can't negotiate TLS1.2 connection with https://pkg.oracle.com → ssl_error_handshake_failure_alert on https://pkg.oracle.com - can't negotiate TLS 1.2 connection (RC4 used)
(In reply to Gingerbread Man from comment #1) > (In reply to James Roberts-Thomson from comment #0) > > https://pkg.oracle.com (a subscription website from Oracle that requires an > > Oracle generated SSL certificate for authentication). > > Bug 465330 suggests ssl_error_handshake_failure_alert is the error message > you get when you're missing the required client certificate. I can assure you, I have the correct certificate loaded in FireFox. It used to work by default; it no longer does. The certificate has NOT expired. FireFox DOES work with TLS1.1 (by disabling TLS1.2 as mentioned in the notes), therefore I doubt it's a certificate issue; but happy to be shown how that could be possible. Please see the attached screenshot of the FireFox Certificate display. > > TLS1.2 does work (but uses RC4 ciphers, which presumably is why FireFox > > currently doesn't due to RC4 ciphers being depreciated in Firefox). > > No, that's not the cause of what you're seeing. Currently RC4 just triggers > a warning triangle icon in the location bar, instead of a padlock. Starting > in Firefox 39, sites fails to load with an ssl_error_no_cypher_overlap error. I'd seen some comment on RC4 being deprecated based on Google searches; but happy to be corrected on that one, thanks.
(In reply to James Roberts-Thomson from comment #2) > I'd seen some comment on RC4 being deprecated based on Google searches; but > happy to be corrected on that one, thanks. Yes, RC4 is deprecated. That means, “this works for now, but you shouldn't be using it, because it'll stop working in the future”. That point in the future will be Firefox 39 [1] when it'll only work for sites on the built-in whitelist (and those the user whitelists manually). I have no further comment now. Rest assured, someone will have a look at this and determine if it's a Firefox issue or an evangelism issue. [1] Bug 1124039, comment 69
The site doesn't work in Chrome either -> evangelism issue.
Component: Security: PSM → Desktop
Product: Core → Tech Evangelism
Version: 37 Branch → unspecified
(Although I guess with a company the size of Oracle, @mentioning them on Twitter won't help much. On the bright side, this server is likely not used for anything actually useful anyway..)
Whiteboard: [sitewait]
(In reply to Hallvord R. M. Steen [:hallvors] from comment #7) > On the bright side, this server is likely not used > for anything actually useful anyway.. I guess that depends on whether or not you think being the primary update site for a company's premier OS is "useful"... pkg.oracle.com is the default package and update source for all Solaris 11 deployments worldwide. *I'd* call that useful.
So their various update software connects to this server, but it doesn't have contents meant for browsing? Perhaps updating the certificate is a large undertaking if one also needs to update lots of software tied to a specific configuration?
There are two websites at that URL; the http one is slightly different to the https one. Both websites display content with a browser, including a very useful package search engine. The https site, however, contains additional software repositories that contain more updates, which are only available if you have a support contract. The https site also uses client-side certificates for client authentication; you cannot connect to the https://pkg.oracle.com/ site unless you have an oracle-generated client certificate. (Note that there is an end-user interface for certificate generation at https://pkg-register.oracle.com/) The primary function of those sites, however, would be to provide updates to Solaris systems and additional software by the use of the Solaris command-line tools, and NOT a browser. I'm unsure if the Solaris tools actually validate the server-side credentials; they don't appear to, but they may well have internal validation that isn't obvious. So it is possible that updating the server certs is a non-trivial task for Oracle. However, only Oracle Employees responsible for managing that infrastructure would know the answers for sure.
I'm wondering if we should close this report? It has been two years and it was not working in multiple browsers.
Priority: -- → P5
I'm happy for the bug to be closed; the originally reported problem no longer seems to exist - presumably Oracle amended the certs on their website to be more up to date with respect to security.
(In reply to James Roberts-Thomson from comment #13) > I'm happy for the bug to be closed; the originally reported problem no > longer seems to exist - presumably Oracle amended the certs on their website > to be more up to date with respect to security. Therefore I'm closing this as WONTFIX.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: