Closed Bug 1160122 Opened 7 years ago Closed 7 years ago

https://saml.yammer.com uses RC4 cipher suites (which are deprecated and insecure), and is RC4 only on Firefox

Categories

(Web Compatibility :: Desktop, defect)

Unspecified
All
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: cbook, Unassigned)

References

()

Details

(Whiteboard: [workaround: add "saml.yammer.com" to the about:config pref "security.tls.insecure_fallback_hosts"])

Steps to reproduce:

Use Nightly: 

login to yammer https://www.yammer.com/mozilla.com/
--> Secure Connection Failed

The connection to saml.yammer.com was interrupted while the page was loading.

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
OS: Unspecified → Mac OS X
OS: Mac OS X → All
What version of Firefox are you using?
Flags: needinfo?(cbook)
(In reply to David Keeler [:keeler] (use needinfo?) from comment #1)
> What version of Firefox are you using?

40.0a1 (2015-04-30)
Flags: needinfo?(cbook)
Same with the 4/30/2015 daily build of Aurora as well.
I don't know if there's some difference visiting https://www.yammer.com/mozilla.com over an internal Mozilla network or not, but I get redirected to https://saml.yammer.com , which appears to be the problematic domain.

https://www.ssllabs.com/ssltest/analyze.html?d=saml.yammer.com :
> Cipher Suites (sorted by strength; the server has no preference)
> TLS_RSA_WITH_RC4_128_MD5 (0x4)
> TLS_RSA_WITH_RC4_128_SHA (0x5)
> TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
> TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)

RC4 is of course on whitelist mode, and assuming the SSL Labs Client Test is correct, none of the non-RC4 cipher suites are supported.
This is a tech evangelism issue. Presumably we have contacts at Yammer?
Component: Security → Desktop
Product: Core → Tech Evangelism
Summary: Yammer login fails on nightly with Secure Connection Failed → https://saml.yammer.com uses RC4 cipher suites (which are deprecated and insecure)
Duplicate of this bug: 1160817
Summary: https://saml.yammer.com uses RC4 cipher suites (which are deprecated and insecure) → https://saml.yammer.com uses RC4 cipher suites (which are deprecated and insecure), and is RC4 only on Firefox
Note that there are two issues here:
1) The server does not support a cipher that can be used with Firefox.
2) The server does not respond with an error such that Firefox reports ssl_error_no_cypher_overlap.

Ideally, Firefox would like to use:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
At minimum:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

The combination of CBC+SHA256 is not supported. Either upgrade to GCM or stick with SHA1.
(adding workaround to whiteboard, for anyone who's actually being blocked from logging into yammer by this bug.)
Whiteboard: [workaround: set about:config pref "security.tls.unrestricted_rc4_fallback" to true while logging in]
cc'ing the SSO team, since they may have contacts at Yammer that are helpful here.
cc'ing vdoan, as he might have contacts at Yammer that are helpful here.
Duplicate of this bug: 1161135
I will reach out to Yammer to get assistance on this.
Whiteboard: [workaround: set about:config pref "security.tls.unrestricted_rc4_fallback" to true while logging in] → [workaround: add "saml.yammer.com" to the about:config pref "security.tls.insecure_fallback_hosts"]
(In reply to Dave Garrett from comment #7)
> Ideally, Firefox would like to use:
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
> At minimum:
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
> 
> The combination of CBC+SHA256 is not supported. Either upgrade to GCM or
> stick with SHA1.

Is there a reason that combination isn't supported?  It seems bad to be pressuring server operators to stay with a weaker hash function just because they can't also change their cipher mode.
(In reply to Jed Davis [:jld] {UTC-7} from comment #13)
> (In reply to Dave Garrett from comment #7)
> > Ideally, Firefox would like to use:
> > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
> > At minimum:
> > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
> > 
> > The combination of CBC+SHA256 is not supported. Either upgrade to GCM or
> > stick with SHA1.
> 
> Is there a reason that combination isn't supported?  It seems bad to be
> pressuring server operators to stay with a weaker hash function just because
> they can't also change their cipher mode.

There's a rationale for this in https://briansmith.org/browser-ciphersuites-01.html (see the last paragraph of the "Minimize the number of ciphersuites offered" section and the "Be compatible with web servers and with other browsers" section). Basically, it wasn't deemed necessary to add another (new in TLS 1.2) RSA ciphersuite given that we're trying to deprecate them anyway.
At this point, we seem to want to avoid adding new known-weak cipher suites so as to discourage sites from upgrading to old ones that we're also trying to get people to replace. That means suites without AEAD, FS, or SHA2 (or newer) are not likely to be added.

In this case, the server supports TLS 1.2, so it really should just use GCM.
Any word if they're going to fix this?
Flags: needinfo?(vdoan)
No word back from them yet. The support engineer who was originally assigned the ticket said she has reached out to their senior engineers for help. I will update again once I hear more.
Flags: needinfo?(vdoan)
Fixed, probably when they moved it to MS's datacenters.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.