DHE Cipher Suite incompatible with corporate proxy (BlueCoat)

UNCONFIRMED
Unassigned

Status

Mozilla Developer Network
General
UNCONFIRMED
2 years ago
2 years ago

People

(Reporter: Matt Steele, Unassigned)

Tracking

({in-triage})

Details

(Whiteboard: [specification][type:bug])

(Reporter)

Description

2 years ago
What did you do?
================
I'm behind a corporate proxy (BlueCoat), and it doesn't handle the DHE ciphers MDN appears to use.

What happened?
==============
When I attempt to access MDN sites (for example, https://developer.mozilla.org/en/DOM/Input.select) I receive a "Connection Reset" error.

What should have happened?
==========================
After discussing with our proxy group, they told me that BlueCoat doesn't handle DHE ciphers effectively. When we tried enabling DHE, it caused our proxies to crash. I'm not a security expert, but our security team told us the following:

Our version of BlueCoat supports ECDHE and ECDSA.  If ECDHE and ECDSA were supported, it would provide the same level of security, and allow the proxy to function properly.

Specific variants that are currently supported:

ECDHE-RSA-AES128-SHA (0xC013)
ECDHE-RSA-AES256-SHA (0xC014)
ECDHE-RSA-AES128-SHA256 (0xC027)
ECDHE-RSA-AES128-GCM-SHA256 (0xC02F)
ECDHE-RSA-RC4-SHA (0xC011)

ECDHE-ECDSA-AES128-SHA256 (0xC023)
ECDHE-ECDSA-AES128-GCM-SHA256 (0xC02B)
ECDHE-ECDSA-RC4-SHA (0xC007)
ECDHE-ECDSA-AES128-SHA (0xC009)
ECDHE-ECDSA-AES256-SHA (0xC00A)

Is there anything else we should know?
======================================
:cyliang - can you give us any advice on this? Sounds like our HTTPS doesn't work for some proxies?
Flags: needinfo?(cliang)

Comment 2

2 years ago
On the load balancers, we present different TLS ciphers depending on what level of security is needed and what kinds of clients need to be served.  There's a breakdown at https://wiki.mozilla.org/Security/Server_Side_TLS.  (Warning: it's a very long doc. =) )

We recently did an upgrade that now allows us to handle ECDHE ciphers.  

:groovecoder - The security person who normally works on TLS issues (esp. with testing) is out until July 13th.   Based on what I see in the wiki link above, I can make a pretty good guess as to what to add to the existing cipher list.  Would you like me to take a stab at adding some of these ciphers and/or would you rather wait until the subject matter expert returns (July 13th).
Flags: needinfo?(cliang)
We'll triage and prioritize this bug Friday. I can probably give a good/better answer then.

Matt - do you have a work-around for accessing MDN in the mean-time?
Flags: needinfo?(orphum)
(Reporter)

Comment 4

2 years ago
:groovecoder - I can access MDN off-proxy using a personal device (phone). Not an ideal workflow, but it should work for now.
Flags: needinfo?(orphum)
As :cyliang hinted at, prioritizing ECDHE above DHE will solve the issue. Both our DC load balancers and AWS ELBs support ECDHE so this should be an easy fix (assuming that enabling ECDHE doesn't break anything else in our LBs).

But, seriously, bluecoat?! :(
(Reporter)

Comment 6

2 years ago
Sounds great, thank you all!

:ulfr We move at the speed of enterprise, I suppose. I'm not a security person but I'm curious why Bluecoat is problematic?
> why Bluecoat is problematic?

Because it breaks a core principle of HTTPS, which is that the connection is encrypted on your personal/work machine and decrypted on the destination server (and vice-versa). When bluecoat MITM HTTPS, not only does it reads all content that is supposedly confidential to you, but it also limits the quality of the encryption method used to the best one it supports, as opposed to using the best one the web browser supports.
Keywords: in-triage
You need to log in before you can comment on or make changes to this bug.