www.vpv.scddesjardins.com is TLS 1.1/1.2 intolerant (fails with ssl_error_bad_mac_read)

RESOLVED FIXED

Status

RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: epinal99-bugzilla2, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Updated

3 years ago

Comment 1

3 years ago
Looks like the same sort of TLS 1.1/1.2 intolerance as seen in Bug 1130472: both fail with ssl_error_bad_mac_read, both have a server signature of "IBM_HTTP_Server".

security.tls.version.max = 3 -> Fail
security.tls.version.max = 2 -> Fail
security.tls.version.max = 1 -> OK

openssl s_client -connect www.vpv.scddesjardins.com:443
> CONNECTED(00000003)
> depth=2 O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Certification Authority (2048)
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> 140477050304144:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:486:

openssl s_client -connect www.vpv.scddesjardins.com:443 -no_tls1_2
> CONNECTED(00000003)
> depth=2 O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Certification Authority (2048)
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> 139868204430992:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:486:

openssl s_client -connect www.vpv.scddesjardins.com:443 -no_tls1_2 -no_tls1_1
> CONNECTED(00000003)
> depth=2 O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Certification Authority (2048)
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
Blocks: 1126620
OS: Unspecified → All
Hardware: Unspecified → All
Summary: sends ssl_error_bad_mac_read on https://www.vpv.scddesjardins.com/ACS/presentation.do?lang=fr&cntry=CA&dom=FED → www.vpv.scddesjardins.com is TLS 1.1/1.2 intolerant (fails with ssl_error_bad_mac_read)

Comment 2

3 years ago
I wonder if it is a incorrect premaster secret version check or something else.
Fixed.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.