Closed Bug 1159224 Opened 10 years ago Closed 10 years ago

ps9-web1.cna.nl.ca is is TLS 1.1/1.2 intolerant

Categories

(Web Compatibility :: Site Reports, defect)

Product:
Web Compatibility
Component:
Site Reports
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: markflemingnl, Unassigned)

References

(
URL
)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0 Build ID: 20150415140819 Steps to reproduce: fail to load page https://ps9-web1.cna.nl.ca receiving ssl_error_no_cypher_overlap error ssl settings have been updated, but receiving cipher suite mismatch on ssllabs tester Actual results: ssl_error_no_cypher_overlap Expected results: page load successfully
Because this website has only TLS 1.0 enabled, which is weak. https://www.ssllabs.com/ssltest/analyze.html?d=ps9-web1.cna.nl.ca
Blocks: TLS-Intolerance
URL: https://ps9-web1.cna.nl.ca/
Component: Untriaged → Desktop
Product: Core → Tech Evangelism
Summary: ssl_error_no_cypher_overlap on https://ps9-web1.cna.nl.ca → ps9-web1.cna.nl.ca is is TLS 1.1/1.2 intolerant
Version: 37 Branch → Firefox 37
reporter, could you contact the sysadmin of this website?
Flags: needinfo?(markflemingnl)
(In reply to Loic from comment #1) > Because this website has only TLS 1.0 enabled, which is weak. > https://www.ssllabs.com/ssltest/analyze.html?d=ps9-web1.cna.nl.ca Well, a server supporting TLS 1.0 is problematic in the longer term, but the immediate issue is that the server incorrectly chokes when something even attempts to negotiate something newer.
Status: UNCONFIRMED → NEW
Ever confirmed: true
been working with sysadmins, they have been working on fixes, however it appears recent firefox 38 update now allows the site to open. appears related to the security.tls.insecure_fallback_hosts.use_static_list bug 1114816 if we set this to false and restart firefox, same error received.
Flags: needinfo?(markflemingnl)
Looks like the site is no longer TLS 1.1/1.2 intolerant. Note however, the "Extra download" part from https://www.ssllabs.com/ssltest/analyze.html?d=ps9-web1.cna.nl.ca: > Thawte SSL CA > 2 Extra download Fingerprint: 73e42686657aece354fbf685712361658f2f4357 > RSA 2048 bits (e 65537) / SHA1withRSA This means the server is still slightly misconfigured: it should be sending this intermediate cert as well. However, this is a separate issue. markflemingnl: thanks for working with the sysadmins to get this fixed!
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Version: Firefox 37 → unspecified
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.