Closed Bug 1166644 Opened 8 years ago Closed 7 years ago

secure.crbonline.gov.uk is TLS 1.1/1.2 intolerant and RC4-only

Categories

(Web Compatibility :: Desktop, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: alisdairjones, Unassigned)

References

()

Details

The following website no longer loads following the disabling of insecure TLS fallback (detailed here: https://bugzilla.mozilla.org/show_bug.cgi?id=1084025):

https://secure.crbonline.gov.uk/crsc/subscriber
(Other sites at same domain have same issue)

Regression check confirms this change broke the site access.

SSLlabs report confirms only TLS 1.0 is supported, nothing better than RC4.

I am in the process of trying to bring this issue to the attention of the Government Digital Service(!).

In the meantime, can it please be added to the whitelist.
Component: Security → Desktop
Product: Firefox → Tech Evangelism
Summary: TLS/RC4 intolerance - secure.crbonline.gov.uk (add to whitelist) → secure.crbonline.gov.uk is TLS 1.1/1.2 intolerant and RC4-only
Version: 38 Branch → Firefox 38
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Unspecified → All
Hardware: Unspecified → All
Version: Firefox 38 → unspecified
I enabled older protocols in a browser with lots of config options (Opera 12.x ;)) and finally got the site to load. And it said.. "Bad request". Maybe this server isn't used at all and we can just close the bug?
It works for me on FF41.0.1 - presumably with the site on the whitelist. I can log in to the site fine without having to resort to Safari etc.

In the meantime, until the GDS (who are responsible for the site) update the site security, the bug stands.
Fixed.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.