Closed Bug 1169085 Opened 10 years ago Closed 10 years ago

Getting "Secure Connection Failed" on TLS 1.2 enabled server in 37 and 38

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
38 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1155932

People

(Reporter: devin.collins, Unassigned)

References

(
URL
)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Firefox/38.0 Build ID: 20150513174244 Steps to reproduce: Go to nscsss.nd.edu in v37 or v38 of Firefox. Get "Secure Connection Failed". Actual results: When using 36, TLS falls back to 1.1 using the TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) cipher. Presumably, this is failing in 37 and 38 because there's no more TLS fallback. In the 39 beta, TLS 1.2 works using the same cipher. Other browsers are using TLS 1.2. See https://www.ssllabs.com/ssltest/analyze.html?d=nscsss.nd.edu Expected results: Expecting Firefox to use TLS 1.2 on the server.
Not sure why 38 isn't loading it. Aurora 40 is loading it for me fine, at the moment. (In reply to devin.collins from comment #0) > Presumably, this is failing in 37 and 38 because there's no more TLS fallback. This is not correct. The specification compliant TLS version fallback has always, and will always, work fine. Properly implemented TLS 1.1 or 1.0 servers will still fallback and work fine. (assuming the ciphers are supported, of course) It's the insecure version fallback that has been disabled. Only servers with broken TLS implementations are affected. What was disabled is the hacky insecure multiple-attempt-based fallback system that all browsers implemented to deal with buggy servers.
URL: https://nscsss.nd.edu/
Thanks for the response and clarification, Dave. I guess the real issue is that TLS 1.2 is failing in the first place.
Found the same issue in Bug 1153486, but tweaking Firefox to get the site to work isn't a resolution for me.
Hi Devin, Thanks for filing the bug; it looks this is a duplicate of Bug 1155932. https://www.ssllabs.com/ssltest/analyze.html?d=nscsss.nd.edu: > InCommon RSA Server CA > 2 Sent by server Fingerprint: f4f26a16d4b913cf3208e664e3dd384e56ce77af > RSA 2048 bits (e 65537) / SHA512withRSA Note ^^^^^^ > HTTP server signature Microsoft-IIS/8.5
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Component: Untriaged → Security: PSM
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.