Closed Bug 1216927 Opened 6 years ago Closed 6 years ago

velocityfrequentflyer.com and virginaustralia.com are RC4-only

Categories

(Web Compatibility :: Desktop, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: jya, Unassigned)

References

Details

[I don't know where to lodge this bug, so putting it here]

This issue used to be intermittent, but it's now happening all the time.

Deleting the cert DB helped for a little while but now I just always get an error forcing me to start chrome.

Accessing any of the Virgin Australia web site just fail:
https://www.velocityfrequentflyer.com/
or:
https://www.virginaustralia.com/

will yield:
"Secure Connection Failed

An error occurred during a connection to www.velocityfrequentflyer.com. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the web site owners to inform them of this problem."

I can't see anything wrong with the certificate, and those pages load fine with any of the other browsers I play with.

In FFOS I'm given the choice to make a permanent exception but not on Firefox desktop.

I reported the issue using the "Report a problem link" months ago ; but issue is still there.
Both sites are RC4-only:
https://www.ssllabs.com/ssltest/analyze.html?d=velocityfrequentflyer.com
https://www.ssllabs.com/ssltest/analyze.html?d=virginaustralia.com

What channel are you running? This should work on release/beta. If you're running nightly, there should be an option to add an override.
Flags: needinfo?(jyavenard)
I use Aurora as my primary browser.

What is the override?

Does it simply get automatically enabled on beta/release?
Flags: needinfo?(jyavenard)
If you add those sites to the pref "security.tls.insecure_fallback_hosts" (comma-separated), it should work. We haven't disabled RC4 fallback on beta/release (we're waiting for the UI to ride the trains, basically).
Component: Security → Desktop
Product: Firefox → Tech Evangelism
Summary: Cant access any of the virgin australia related web sites. → velocityfrequentflyer.com and virginaustralia.com are RC4-only
I had to enter the fully qualified domain name:
security.tls.insecure_fallback_hosts;velocityfrequentflyer.com,virginaustralia.com,velocityrewards.com.au,www.velocityrewards.com.au,www.velocityfrequentflyer.com,www.virginaustralia.com

to be able to access the site.

Is this going to be required in future version? I can't expect anyone going to the trouble to do this and will just switch browsers :(
Please make sure you are using the latest build. With the latest Nightly, you should see the following message:
"Your connection is not secure

The owner of www.velocityfrequentflyer.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
Advanced info: ssl_error_no_cypher_overlap"

You should be able to access the site by clicking [Advanced] > [(Not secure) Try loading www.velocityfrequentflyer.com using outdated security] without fiddling with about:config.

(In reply to Jean-Yves Avenard [:jya] from comment #4)
> Is this going to be required in future version? I can't expect anyone going
> to the trouble to do this and will just switch browsers :(

Chrome and Edge/IE will also disable RC4 by default around the Firefox 44 release date. So they should have no choice to switch to :)
(In reply to Jean-Yves Avenard [:jya] from comment #2)
> I use Aurora as my primary browser.

Oh, I overlooked this. We disables RC4 fallback on Nightly/Aurora so that web devs can notice the problem earlier. When Firefox 43 is merged to beta, RC4 fallback will be automatically re-enabled. We have a fallback UI since Firefox 44 (see comment #5).
(In reply to Masatoshi Kimura [:emk] from comment #5)
> Please make sure you are using the latest build. With the latest Nightly,
> you should see the following message:
> "Your connection is not secure
> 
> The owner of www.velocityfrequentflyer.com has configured their website
> improperly. To protect your information from being stolen, Firefox has not
> connected to this website.
> Advanced info: ssl_error_no_cypher_overlap"
> 
> You should be able to access the site by clicking [Advanced] > [(Not secure)
> Try loading www.velocityfrequentflyer.com using outdated security] without
> fiddling with about:config.

is this available on 43 ?
(In reply to Jean-Yves Avenard [:jya] from comment #7)
> (In reply to Masatoshi Kimura [:emk] from comment #5)
> > Please make sure you are using the latest build. With the latest Nightly,
> > you should see the following message:
> > "Your connection is not secure
> > 
> > The owner of www.velocityfrequentflyer.com has configured their website
> > improperly. To protect your information from being stolen, Firefox has not
> > connected to this website.
> > Advanced info: ssl_error_no_cypher_overlap"
> > 
> > You should be able to access the site by clicking [Advanced] > [(Not secure)
> > Try loading www.velocityfrequentflyer.com using outdated security] without
> > fiddling with about:config.
> 
> is this available on 43 ?

No, please read the next comment.
I am getting this error on ALL URLs. Adding them to hosts in about:config has no effect. Using latest version, latest build.

An error occurred during a connection to www.velocityfrequentflyer.com. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the web site owners to inform them of this problem."
(In reply to Stephen Manion from comment #9)
> I am getting this error on ALL URLs. Adding them to hosts in about:config
> has no effect. Using latest version, latest build.

Please file a new bug instead of taking over a random bug for specific sites.
Probably some AV scanners or MITM proxies or malwares intercept your SSL connections.
Depends on: 1202517
Fixed.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.