Closed
Bug 1155932
Opened 10 years ago
Closed 10 years ago
Secure Connection Failed on IIS server serving any SHA-512 cert due to not offering SHA-512 in signature_algorithms extension
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
FIXED
mozilla39
People
(Reporter: bugzillareporter, Assigned: KaiE)
References
()
Details
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Build ID: 20150402191859
Steps to reproduce:
I updated from FF 36 to FF 37 on Windows 8.1.
I entered the URL
https://apps.oaa.uci.edu/diversityopportunities/
but can't connect to the page. I updated to 37.0.1, and the problem persists.
Actual results:
The page shows
Secure Connection Failed
The connection to the server was reset while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Expected results:
I expected the secure site to load successfully as it did with FF 36.
Qualys gives the site an A- SSL report.
https://www.ssllabs.com/ssltest/analyze.html?d=apps.oaa.uci.edu&hideResults=on&latest
Chrome 42 and IE 11 both connect to the site without problems.
FF 37.0.1 can connect to the site when I add apps.oaa.uci.edu to the security.tls.insecure_fallback_hosts. But I feel like FF 37 should connect without having to add the site to the exception list.
Thanks in advance for looking into this.
Reporter | ||
Updated•10 years ago
|
Severity: normal → major
Regression range:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=47c8e9b16918&tochange=b4143e04bea1
Meadhbh Hamrick — Bug 861266: Enable TLS 1.2 by default, r=briansmith
It's probably a server issue about TLS.
Component: Untriaged → Security: PSM
Flags: needinfo?(cykesiopka.bmo)
Product: Firefox → Core
Comment 2•10 years ago
|
||
It looks like the root cause might be Bug 1155922:
There's an intermediate SHA-512 cert being sent:
> InCommon RSA Server CA
> Fingerprint: f4f26a16d4b913cf3208e664e3dd384e56ce77af
> RSA 2048 bits (e 65537) / SHA512withRSA
IIS is being used:
> HTTP server signature Microsoft-IIS/8.0
Applying the Bug 1155922 attachment 8594312 [details] [diff] [review] patch and building locally, I can connect fine with TLS 1.2.
Feel free to correct me if this is incorrect.
Status: UNCONFIRMED → NEW
Depends on: 1155922
Ever confirmed: true
Flags: needinfo?(cykesiopka.bmo)
OS: Windows 8.1 → All
Hardware: x86_64 → All
Summary: Secure Connection Failed with 37.0.1 → Secure Connection Failed on apps.oaa.uci.edu (SHA-512 cert, IIS 8.0) due to lack of SHA-512 in signature_algorithm
Comment 3•10 years ago
|
||
To whoever operates the server, note:
- https://code.google.com/p/chromium/issues/detail?id=461391 has already been WontFixed
- Bug 1129083, which seeks to remove support for SHA-512 certs
Updated•10 years ago
|
Summary: Secure Connection Failed on apps.oaa.uci.edu (SHA-512 cert, IIS 8.0) due to lack of SHA-512 in signature_algorithm → Secure Connection Failed on apps.oaa.uci.edu (SHA-512 cert, IIS 8.0) due to lack of SHA-512 in signature_algorithms extension
Comment 4•10 years ago
|
||
NSS 3.19 now has the fix from the Bug 1155922 patch, and Bug 1144055 has upgraded Firefox 39 and 40 to use NSS 3.19.
I tried connecting to https://apps.oaa.uci.edu/diversityopportunities, and it works fine now.
=> Marking this as fixed, at least for now.
Assignee: nobody → kaie
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Summary: Secure Connection Failed on apps.oaa.uci.edu (SHA-512 cert, IIS 8.0) due to lack of SHA-512 in signature_algorithms extension → Secure Connection Failed on IIS server serving any SHA-512 cert due to not offering SHA-512 in signature_algorithms extension
Target Milestone: --- → mozilla39
You need to log in
before you can comment on or make changes to this bug.
Description
•