secure.crbonline.gov.uk is TLS 1.1/1.2 intolerant and RC4-only

RESOLVED FIXED

Status

RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: alisdairjones, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

4 years ago
The following website no longer loads following the disabling of insecure TLS fallback (detailed here: https://bugzilla.mozilla.org/show_bug.cgi?id=1084025):

https://secure.crbonline.gov.uk/crsc/subscriber
(Other sites at same domain have same issue)

Regression check confirms this change broke the site access.

SSLlabs report confirms only TLS 1.0 is supported, nothing better than RC4.

I am in the process of trying to bring this issue to the attention of the Government Digital Service(!).

In the meantime, can it please be added to the whitelist.
(Reporter)

Updated

4 years ago
Blocks: 1126620, 1138101

Updated

4 years ago
Component: Security → Desktop
Product: Firefox → Tech Evangelism
Summary: TLS/RC4 intolerance - secure.crbonline.gov.uk (add to whitelist) → secure.crbonline.gov.uk is TLS 1.1/1.2 intolerant and RC4-only
Version: 38 Branch → Firefox 38

Updated

4 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Unspecified → All
Hardware: Unspecified → All
Version: Firefox 38 → unspecified
I enabled older protocols in a browser with lots of config options (Opera 12.x ;)) and finally got the site to load. And it said.. "Bad request". Maybe this server isn't used at all and we can just close the bug?
(Reporter)

Comment 3

3 years ago
It works for me on FF41.0.1 - presumably with the site on the whitelist. I can log in to the site fine without having to resort to Safari etc.

In the meantime, until the GDS (who are responsible for the site) update the site security, the bug stands.

Comment 4

3 years ago
Fixed.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.