"Secure Connection Failed" at https://saml.yammer.com/ in Nightly (unless I flip security.tls.unrestricted_rc4_fallback to "true")

RESOLVED DUPLICATE of bug 1160122

Status

()

Core
Security
RESOLVED DUPLICATE of bug 1160122
3 years ago
3 years ago

People

(Reporter: dholbert, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(firefox40 affected)

Details

Attachments

(2 attachments)

Yammer's having issues right now, and their error page won't load in Nightly, but it loads in Firefox Release.

STR:
 1. Load https://saml.yammer.com/


ACTUAL RESULTS:
Firefox error page, "Secure Connection Failed"

EXPECTED RESULTS:
A successful connection (to a yammer error page).
Created attachment 8600646 [details]
screenshot of Firefox Release vs. Nightly
(I submitted an error report, via the "report this error" link on the Secure Connection Failed page, FWIW. I'm hoping that captures enough information that we can triage this even after this yammer page is back up.)

SSL Labs gives them a "B" right now, FWIW:
 https://www.ssllabs.com/ssltest/analyze.html?d=saml.yammer.com

I initially suspected this might be an instance of bug 1138101 (rc4 dependence), but SSL Labs page shows they support some non-RC4 ciphers:
{
Cipher Suites (sorted by strength; the server has no preference)
TLS_RSA_WITH_RC4_128_MD5 (0x4)   WEAK 	128
TLS_RSA_WITH_RC4_128_SHA (0x5)   WEAK 	128
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)   WEAK 	128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 	128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH 571 bits (eq. 15360 bits RSA)   FS 	128
}
(In reply to Daniel Holbert [:dholbert] from comment #3)
> I initially suspected this might be an instance of bug 1138101 (rc4
> dependence), but SSL Labs page shows they support some non-RC4 ciphers:

...though I can confirm that flipping security.tls.unrestricted_rc4_fallback to "true" fixes this. (makes Nightly behave like Firefox Release)

Tentatively marking as blocking bug 1138101, but I'm confused why we're failing to connect with this pref off, given that this yammer server supports non-rc4 ciphers per comment 3.
Blocks: 1138101
Summary: "Secure Connection Failed" at https://saml.yammer.com/ in Nightly (working in Release) → "Secure Connection Failed" at https://saml.yammer.com/ in Nightly (unless I flip security.tls.unrestricted_rc4_fallback to "true")
I'm hoping this makes more sense to :keeler or :emk.

Comment 6

3 years ago
(In reply to Daniel Holbert [:dholbert] from comment #4)
> (In reply to Daniel Holbert [:dholbert] from comment #3)
> > I initially suspected this might be an instance of bug 1138101 (rc4
> > dependence), but SSL Labs page shows they support some non-RC4 ciphers:
> 
> ...though I can confirm that flipping security.tls.unrestricted_rc4_fallback
> to "true" fixes this. (makes Nightly behave like Firefox Release)
> 
> Tentatively marking as blocking bug 1138101, but I'm confused why we're
> failing to connect with this pref off, given that this yammer server
> supports non-rc4 ciphers per comment 3.

See Bug 1160122 comment 4: none of the non-RC4 cipher suites are supported by Firefox.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1160122
You need to log in before you can comment on or make changes to this bug.