Secure Connection Failed on IIS server serving any SHA-512 cert due to not offering SHA-512 in signature_algorithms extension

RESOLVED FIXED in mozilla39

Status

()

--
major
RESOLVED FIXED
4 years ago
2 years ago

People

(Reporter: bugzillareporter, Assigned: kaie)

Tracking

37 Branch
mozilla39
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Build ID: 20150402191859

Steps to reproduce:

I updated from FF 36 to FF 37 on Windows 8.1.

I entered the URL
https://apps.oaa.uci.edu/diversityopportunities/

but can't connect to the page. I updated to 37.0.1, and the problem persists.



Actual results:

The page shows

Secure Connection Failed

The connection to the server was reset while the page was loading.

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.


Expected results:

I expected the secure site to load successfully as it did with FF 36.

Qualys gives the site an A- SSL report.
https://www.ssllabs.com/ssltest/analyze.html?d=apps.oaa.uci.edu&hideResults=on&latest

Chrome 42 and IE 11 both connect to the site without problems.

FF 37.0.1 can connect to the site when I add apps.oaa.uci.edu to the security.tls.insecure_fallback_hosts. But I feel like FF 37 should connect without having to add the site to the exception list.

Thanks in advance for looking into this.
(Reporter)

Updated

4 years ago
Severity: normal → major

Comment 1

4 years ago
Regression range:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=47c8e9b16918&tochange=b4143e04bea1

Meadhbh Hamrick — Bug 861266: Enable TLS 1.2 by default, r=briansmith

It's probably a server issue about TLS.
Component: Untriaged → Security: PSM
Flags: needinfo?(cykesiopka.bmo)
Product: Firefox → Core

Comment 2

4 years ago
It looks like the root cause might be Bug 1155922:

There's an intermediate SHA-512 cert being sent:
> InCommon RSA Server CA
> Fingerprint: f4f26a16d4b913cf3208e664e3dd384e56ce77af
> RSA 2048 bits (e 65537) / SHA512withRSA

IIS is being used:
> HTTP server signature 	Microsoft-IIS/8.0

Applying the Bug 1155922 attachment 8594312 [details] [diff] [review] patch and building locally, I can connect fine with TLS 1.2.

Feel free to correct me if this is incorrect.
Status: UNCONFIRMED → NEW
Depends on: 1155922
Ever confirmed: true
Flags: needinfo?(cykesiopka.bmo)
OS: Windows 8.1 → All
Hardware: x86_64 → All
Summary: Secure Connection Failed with 37.0.1 → Secure Connection Failed on apps.oaa.uci.edu (SHA-512 cert, IIS 8.0) due to lack of SHA-512 in signature_algorithm

Comment 3

4 years ago
To whoever operates the server, note:
  - https://code.google.com/p/chromium/issues/detail?id=461391 has already been WontFixed
  - Bug 1129083, which seeks to remove support for SHA-512 certs

Updated

4 years ago
Summary: Secure Connection Failed on apps.oaa.uci.edu (SHA-512 cert, IIS 8.0) due to lack of SHA-512 in signature_algorithm → Secure Connection Failed on apps.oaa.uci.edu (SHA-512 cert, IIS 8.0) due to lack of SHA-512 in signature_algorithms extension

Comment 4

4 years ago
NSS 3.19 now has the fix from the Bug 1155922 patch, and Bug 1144055 has upgraded Firefox 39 and 40 to use NSS 3.19.

I tried connecting to https://apps.oaa.uci.edu/diversityopportunities, and it works fine now.

=> Marking this as fixed, at least for now.
Assignee: nobody → kaie
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Summary: Secure Connection Failed on apps.oaa.uci.edu (SHA-512 cert, IIS 8.0) due to lack of SHA-512 in signature_algorithms extension → Secure Connection Failed on IIS server serving any SHA-512 cert due to not offering SHA-512 in signature_algorithms extension
Target Milestone: --- → mozilla39

Updated

4 years ago
Duplicate of this bug: 1159246

Updated

3 years ago
Duplicate of this bug: 1169085
Comment hidden (spam)
You need to log in before you can comment on or make changes to this bug.